From libssh2-devel-bounces@cool.haxx.se Mon Aug 15 11:56:03 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7F9tTHq004728; Mon, 15 Aug 2016 11:55:56 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7F9tSxS004716 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 15 Aug 2016 11:55:28 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u7F9tSi2004713 for ; Mon, 15 Aug 2016 11:55:28 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Mon, 15 Aug 2016 11:55:28 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: CII best practices Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7F9tTHq004728 Hey, I've been participating in the CII best practices project to help open source projects get better. It contains a catalogue of open source software where each project fills in its status and declares how it works. I've added "libssh2" [1] to the list of projects, and right now we're at 92% coverage of the practices. It would be awesome to make libssh2 reach 100% so I'm posting this email to ask for those who care to do to the best practices site and check out the entries that we don't adhere to so far and either tell us here that the info can be updated (and how) or help us move in a direction so that we can meet the critieras in a future. [1] = https://bestpractices.coreinfrastructure.org/projects/81 -- / daniel.haxx.se _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Aug 15 16:25:21 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7FEOnOC023432; Mon, 15 Aug 2016 16:25:14 +0200 Received: from mail-wm0-f51.google.com (mail-wm0-f51.google.com [74.125.82.51]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7FEOlwr023384 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 15 Aug 2016 16:24:48 +0200 Received: by mail-wm0-f51.google.com with SMTP id i5so106631215wmg.0 for ; Mon, 15 Aug 2016 07:24:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=FzwpLdU67gE3O0Tn/c2vMFIW0e3c4Ma5F4qTeUw9P9Q=; b=QO/Y1Ills4/4HD4Hdtq3iHSl+T/Ux5RMHMyQo2vkuc/kWIiivY88rdihNpiGMObBH4 Vt5WWWCx7aodVPGODlsxSkTODSU1wTX3FyFhSO1eCFswMMqUh/4Xdv7EMMotMktqw6bW 8DRXwN4Uqro+Pdn7DDkHRqtiFa8uF48ijS0T9LL72gPtMStOE/OI06Vu1UyK912a/8MG btHNHMEuYF8DRR2gv3xUkFtOV+DBa5mwbO2T9Rj/YMZ7pOZm/pgPRZXD3nREG2k2fVAN odPplYlGNypeM4b2xodVJZ4hknm99BE8UcnksP5Der2Im1zmrL7qGisOEql+iZ/CteVA sY3g== X-Gm-Message-State: AEkooutC81Ae9BM+eW97dGUDQ+Zuuyx7ZjjjrjGf7xTv5IXfXQWLYLu3S8/EoIGcFYsg7yd2+BqnSfyMfUOukw== X-Received: by 10.46.0.134 with SMTP id e6mr5078346lji.40.1471271083257; Mon, 15 Aug 2016 07:24:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Alexander Lamaison Date: Mon, 15 Aug 2016 14:24:32 +0000 Message-ID: Subject: Re: CII best practices To: "development, libssh2" X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: multipart/mixed; boundary="===============1761155385==" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --===============1761155385== Content-Type: multipart/alternative; boundary=001a1142b58c4935a6053a1cfe01 --001a1142b58c4935a6053a1cfe01 Content-Type: text/plain; charset=UTF-8 On Mon, 15 Aug 2016, 10:56 Daniel Stenberg, wrote: > Hey, > > I've been participating in the CII best practices project to help open > source > projects get better. It contains a catalogue of open source software where > each project fills in its status and declares how it works. > > I've added "libssh2" [1] to the list of projects, and right now we're at > 92% > coverage of the practices. > > It would be awesome to make libssh2 reach 100% so I'm posting this email to > ask for those who care to do to the best practices site and check out the > entries that we don't adhere to so far and either tell us here that the > info > can be updated (and how) or help us move in a direction so that we can meet > the critieras in a future. > > [1] = https://bestpractices.coreinfrastructure.org/projects/81 > > We do continuous integration. Alex --001a1142b58c4935a6053a1cfe01 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Mon, 15 Aug 2016, 10:56 Dani= el Stenberg, <daniel@haxx.se> w= rote:
Hey,

I've been participating in the CII best practices project to help open = source
projects get better. It contains a catalogue of open source software where<= br> each project fills in its status and declares how it works.

I've added "libssh2" [1] to the list of projects, and right n= ow we're at 92%
coverage of the practices.

It would be awesome to make libssh2 reach 100% so I'm posting this emai= l to
ask for those who care to do to the best practices site and check out the entries that we don't adhere to so far and either tell us here that the= info
can be updated (and how) or help us move in a direction so that we can meet=
the critieras in a future.

[1] =3D https://bestpractices.coreinfrastruc= ture.org/projects/81


We d= o continuous integration.=C2=A0

Alex
--001a1142b58c4935a6053a1cfe01-- --===============1761155385== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwOi8vY29vbC5oYXh4LnNlL2NnaS1iaW4vbWFpbG1hbi9saXN0aW5mby9saWJzc2gy LWRldmVsCg== --===============1761155385==-- From libssh2-devel-bounces@cool.haxx.se Sat Aug 20 17:42:16 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7KFfk84008261; Sat, 20 Aug 2016 17:42:10 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7KFfjV9008255 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 20 Aug 2016 17:41:45 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u7KFfjbr008252 for ; Sat, 20 Aug 2016 17:41:45 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Sat, 20 Aug 2016 17:41:45 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: libssh2 security Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7KFfk84008261 Hi friends, One of the remaining steps to make us reach 100% "CII best practices", is to make sure we document how we deal with security problems and provide a way for users to report such problems without immediately disclosing them to the public. I've written a suggested "security process" for how to handle these sort of problems and I've set up an email alias (libssh2-security@haxx.se) with a closed list of receivers to which suspected vulerabilities can be reported. The process is my *suggested* approach and I'm interested in feedback and comments to make sure we all agree on it. It is right now already easily browsable here: https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md There should be very few surprises in that. It is basically the same document I've used in the curl project for many years. I stole it from there with permission since I wrote the original =) I'll make it viewable from the web site too in a day or two, depending on the feedback here. -- / daniel.haxx.se _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Sun Aug 21 01:07:47 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7KN7IF2013310; Sun, 21 Aug 2016 01:07:40 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7KN7GAt013303 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 21 Aug 2016 01:07:16 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u7KN7FtQ013300 for ; Sun, 21 Aug 2016 01:07:16 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Sun, 21 Aug 2016 01:07:15 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: perfect forward secrecy? Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7KN7IF2013310 Hey, There's a best practice left that I haven't marked as 'Met' because I'm not entirely sure (mostly because my memory is weak on the specifics). So I wanted to bounce this you you peeps on the list. This the critiera: Under Security / Good cryptographic practices: "The project SHOULD implement perfect forward secrecy for key agreement protocols so a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future" We can mark this is as a 'Met', can't we? -- / daniel.haxx.se _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Sun Aug 21 10:47:42 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7L8lFJZ032443; Sun, 21 Aug 2016 10:47:37 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7L8lERk032379 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 21 Aug 2016 10:47:14 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u7L8lDrd032374 for ; Sun, 21 Aug 2016 10:47:14 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Sun, 21 Aug 2016 10:47:13 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Re: libssh2 security In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7L8lFJZ032443 On Sat, 20 Aug 2016, Daniel Stenberg wrote: > I'll make it viewable from the web site too in a day or two, depending on > the feedback here. Now visible here: https://www.libssh2.org/security.html -- / daniel.haxx.se _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Aug 22 15:35:58 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7MDZa8M030851; Mon, 22 Aug 2016 15:35:53 +0200 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7MDZXL9030728 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 22 Aug 2016 15:35:34 +0200 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2C76CC04D280; Mon, 22 Aug 2016 13:35:29 +0000 (UTC) Received: from kdudka-nb.localnet (unused-4-106.brq.redhat.com [10.34.4.106]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u7MDZRBp028159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 22 Aug 2016 09:35:28 -0400 From: Kamil Dudka To: Daniel Stenberg Subject: Re: libssh2 security Date: Mon, 22 Aug 2016 15:35:31 +0200 Message-ID: <9034834.93hhKqCGr9@kdudka-nb> User-Agent: KMail/4.14.10 (Linux/4.7.0-gentoo; KDE/4.14.20; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 22 Aug 2016 13:35:29 +0000 (UTC) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: libssh2-devel@cool.haxx.se Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7MDZa8M030851 On Saturday, August 20, 2016 17:41:45 Daniel Stenberg wrote: > Hi friends, > > One of the remaining steps to make us reach 100% "CII best practices", is to > make sure we document how we deal with security problems and provide a way > for users to report such problems without immediately disclosing them to > the public. > > I've written a suggested "security process" for how to handle these sort of > problems and I've set up an email alias (libssh2-security@haxx.se) with a > closed list of receivers to which suspected vulerabilities can be reported. > > The process is my *suggested* approach and I'm interested in feedback and > comments to make sure we all agree on it. It is right now already easily > browsable here: > > https://github.com/libssh2/libssh2/blob/master/docs/SECURITY.md Looks good to me! Sorry for replying late on this. Kamil > There should be very few surprises in that. It is basically the same > document I've used in the curl project for many years. I stole it from > there with permission since I wrote the original =) > > I'll make it viewable from the web site too in a day or two, depending on > the feedback here. _______________________________________________ libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Wed Aug 31 23:32:07 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u7VLVZmb001964; Wed, 31 Aug 2016 23:31:59 +0200 Received: from 2.mo5.mail-out.ovh.net (2.mo5.mail-out.ovh.net [178.33.109.111]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u7VLVX4m001950 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 31 Aug 2016 23:31:33 +0200 Received: from player774.ha.ovh.net (b7.ovh.net [213.186.33.57]) by mo5.mail-out.ovh.net (Postfix) with ESMTP id E44BF1010CD8 for ; Wed, 31 Aug 2016 23:31:34 +0200 (CEST) Received: from [192.168.0.14] (85-218-68-172.dclient.lsne.ch [85.218.68.172]) (Authenticated sender: antenore@simbiosi.org) by player774.ha.ovh.net (Postfix) with ESMTPSA id B936640069 for ; Wed, 31 Aug 2016 23:31:34 +0200 (CEST) To: libssh2-devel@cool.haxx.se From: Antenore Gatta Subject: MIgration from libssh Message-ID: Date: Wed, 31 Aug 2016 23:31:34 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 X-Ovh-Tracer-Id: 5527605593474552238 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrfeeluddrhedtgddtjeculddtuddrfeeltddrtddtmdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjnecuuegrihhlohhuthemuceftddtnecu X-MIME-Autoconverted: from quoted-printable to 8bit by giant.haxx.se id u7VLVX4m001950 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u7VLVZmb001964 Hi all, I'm the Remmina maintainer (shared role with Giovanni Panozzo). We currently use libssh in our SSH plugin, and as back-end for ssh tunneled connections for all the other protocols as well. We are considering the possibility to move away from libssh and migrate all of our libssh code to libssh2. As reference we were using the comparison page on your site, but it looks really outdated. Do you please have any advices for us? Do you have any experience on these kind of migrations? There are also some features we are interested with, like support for ~/ssh/config files parsing (I know it's openssh only) , FIDO U2F, that at the moment you are not supporting, if I'm not wrong, and I was wondering if these are in your todo list. Thanks a lot!!!! _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel