[darcs-devel] ssh release needed (Re: status of darcsden repo)

Ben Franksen ben.franksen at online.de
Sat Jun 27 21:32:06 UTC 2020


Am 26.06.20 um 18:04 schrieb Simon Michael:
>> On Jun 26, 2020, at 6:31 AM, Ben Franksen <ben.franksen at online.de>
>> wrote: I just realized that you are probably not subscribed to
>> @darcs-devel, so you don't see my replies on the list.
> 
> Hi Ben.. I am, but used to read it only with thunderbird, so haven't
> been keeping up for a few years. I've redirected it into my regular
> mail client for now.

Okay, thanks.

>> When I built darcsden with -fssh I realized that ssh depends on
>> the random library. I hope the authors know that this is not a 
>> cryptographically secure RNG.
> 
> I think all concerned do know the haskell ssh package has nothing
> like the same level of usage and scrutiny as openssh. I feel it's
> still reasonable and best for darcsden though, I don't have to learn
> and rely on locking down openssh which provides real system accounts,
> instead we have a custom app with very limited capabilities (a few
> darcs operations).

Yes, that is definitely an advantage of using the ssh package. Still, I
find the use of random package concerning. That should be fixed.

When I tried to hack this into the ssh package (starting with your
ssh_darcsgub branch), I noticed that it also uses a plethora of small
packages for the various crypto stuff that is needed. The cryptonite
package has them *all*, but the API is very different. So switching to
cryptionite would be a major refactor.

I have looked at hssh. It looks like adding new crypto methods is a lot
simpler with that library and as it is from 2018 it is already based on
cryptonite. The version 0.1.0.0 on hackage at least builds with ghc-4.4.
But again that's a completely different API and I don't feel confident
to re-write darcsden-ssh in terms of hssh.

BTW, I have succeeded to compile darcsden (plus -fssh) with ghc-8.4.4.
This requires cabal file fixes for curve25519 and ssh packages and
adaption of some code in darcsden because pandoc needs to be upgraded to
>=2.0.

Cheers
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/darcs-devel/attachments/20200627/1c1b2d4b/attachment.asc>


More information about the darcs-devel mailing list