[darcs-devel] ssh release needed (Re: status of darcsden repo)

Simon Michael simon at joyful.com
Thu Jul 2 12:27:05 UTC 2020 


> On Jul 2, 2020, at 3:29 AM, Ben Franksen <ben.franksen at online.de> wrote:
> 
> Am 02.07.20 um 00:40 schrieb Simon Michael:
>> - Ben, ssh now depends on random 1.2+. Possibly that helps with the 
>> cryptographic weakness you mentioned ?
> 
> I don't think so.
> 
> The random library was never meant to be used for cryptographical
> purposes and the new version is merely (a lot) faster than previous
> ones. I can't tell for sure whether the way it is used in the ssh
> package is a critical weakness or not because I know very little about
> cryptography in general and the ssh protocol in particular.

Ok.

> I think the only way to find out if it is suitable for darcsden is to
> contact the auther and ask him if he is willing to accomodate us. For
> instance by adding other algorithms (if we actually need them) or at
> least accepting pull requests to that effect. Or by releasing more often
> (there are a number of unreleased patches in the repo).

Already in progress.. 

>> If I understand things, ssh relies on the C libssh2 library (despite the
>> "pure haskell" description), while hssh + cryptonite is 100% haskell,
>> which arguably could makes it more cryptographically suspect.
> 
> I think you are mistaken. It is only the test code that depends on
> libssh2 (which is an ssh /client/ implementation), not the server code.

Thanks, I wasn't sure about that.

> I cannot compile this version with --enable-tests. Cabal does not find a
> valid build plan for ghc-8.2.2 or ghc-8.6.5. Depending on random>=1.2
> seems to be what breaks it.

I forgot I had to relax QuickCheck's upper bound on random. I should have added cabal.project containing:

packages: .
allow-newer: QuickCheck:random

> I have pushed a patch to https://hub.darcs.net/bf/ssh that replaces
> random with cryptonite. Unfortunately there is an overlap between
> crypto-api and cryptonite in module names, so I had to use
> PackageImports to disambiguate.

Nice, thanks!

> When I try to run the tests I also see the test suite hanging (no CPU usage):

More information about the darcs-devel mailing list