TODO for beta2?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

TODO for beta2?

Andreas Jellinghaus-2
Hi,

what is our TODO for beta2?

I guess:
 - configure code for detecting PCSC/*.h vs *.h. Ludovic: is there any
   function we can use for that? and then replace #ifdef __APPLE__ with
   #ifdef HAVE_INCLUDE_PCSC (or whatever define name you think is appropriate)
 - document how to call configure on linux, windows, with broken openssl,
   without pkg-config and all that
 - document regestry and environment configuration options
 - get libp11, engine_pkcs11 and pam_p11 releases out of the door
 - document how to combine those packages.

anything else?

beta2 this week (first a release candidate, two or three days later beta2
without changes) would be nice. after that: please no changes till 0.10.0
is released :)

new scb preview once beta2 is released.

what do you think of that timeline? to slow? to fast?

help and feedback are very welcome.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Martin Paljak
On 10/3/05, Andreas Jellinghaus <[hidden email]> wrote:
> I guess:
>  - configure code for detecting PCSC/*.h vs *.h. Ludovic: is there any
>    function we can use for that? and then replace #ifdef __APPLE__ with
>    #ifdef HAVE_INCLUDE_PCSC (or whatever define name you think is appropriate)
This is actually not a priority. __APPLE__ is very nice and apple
specific (like the link option to link with PCSC framework on apple)
it just must be possible to easily use a _custom_ pcsc version on os x
too.

>  - document regestry and environment configuration options
Yes.
>  - get libp11, engine_pkcs11 and pam_p11 releases out of the door
Yes
>  - document how to combine those packages.
Yes.
> anything else?

--
Martin Paljak
[hidden email]
http://martin.paljak.pri.ee/
+372.5156495 - phone
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Ludovic Rousseau
On 03/10/05, Martin Paljak <[hidden email]> wrote:
> On 10/3/05, Andreas Jellinghaus <[hidden email]> wrote:
> > I guess:
> >  - configure code for detecting PCSC/*.h vs *.h. Ludovic: is there any
> >    function we can use for that? and then replace #ifdef __APPLE__ with
> >    #ifdef HAVE_INCLUDE_PCSC (or whatever define name you think is appropriate)
> This is actually not a priority. __APPLE__ is very nice and apple
> specific (like the link option to link with PCSC framework on apple)

The use of PCSC/winscard.h instead of winscard.h is Apple specific AFAIK.

The problem is that the "normal" way to build under MacOSX is to use
XCode and not ./configure ; make ; make install.
So adding code in configure.in may not be usefull.

#ifdef __APPLE__ should work with or without XCode.

> it just must be possible to easily use a _custom_ pcsc version on os x
> too.

You can do that using PCSC_CFLAGS and PCSC_LIBS.

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Andreas Jellinghaus-2
In reply to this post by Martin Paljak
what is left as todo for beta2?
 * openssl 0.9.8 issue (mailed details to nils, basicaly both opensc asn.1 as
   well as an openssl header file define ASN1_INTEGER but in different way.
   one possible solution would be to use SC_ASN1_* in opensc instead.
   (lots of code changes, but trivial I guess)
 * document regestry and environment configuration options
 * get libp11, engine_pkcs11 and pam_p11 releases out of the door
 * document how to combine those packages.

what about rsa header files? document that any pkcs#12 using application
needs a gpl exception (like using openssl does)? I don't see any other
option.

mac os X: is documenting the configure flags etc. good enough or not?
do I need to remove "-L/usr/lib" from the example, or is it only
redundand and harmless?

are there results with the changed default config file (apdu_masquerade):
does anyone still have problems? does anyone have new problems?

anything else I forgot?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Nils Larsch
Andreas Jellinghaus wrote:
> what is left as todo for beta2?
>  * openssl 0.9.8 issue (mailed details to nils, basicaly both opensc asn.1 as
>    well as an openssl header file define ASN1_INTEGER but in different way.
>    one possible solution would be to use SC_ASN1_* in opensc instead.
>    (lots of code changes, but trivial I guess)

revision 2642 should fix this

> what about rsa header files? document that any pkcs#12 using application
> needs a gpl exception (like using openssl does)? I don't see any other
> option.

it would be nice to get an official comment from the fsf on the
rsa vs. [l]gpl issue

> anything else I forgot?

opensc bug report #45 sounds interesting

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Ludovic Rousseau
On 10/10/05, Nils Larsch <[hidden email]> wrote:
> Andreas Jellinghaus wrote:
> > what about rsa header files? document that any pkcs#12 using application
> > needs a gpl exception (like using openssl does)? I don't see any other
> > option.
>
> it would be nice to get an official comment from the fsf on the
> rsa vs. [l]gpl issue

Since Mozilla is GPL (and also MPL but that is not important for my
point) it suffers an even bigger problem. Mozilla CAN'T be GPL since
it uses RSA files.

Being unable to use OpenSC with a GPL application may not be a problem
for many people. But removing Mozilla from Debian because of a licence
issue is another problem. I guess it would make Debian, FSF, etc. move
a bit more. I will bring the issue on debian-legal again.

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Nils Larsch
Ludovic Rousseau wrote:

> On 10/10/05, Nils Larsch <[hidden email]> wrote:
>
>>Andreas Jellinghaus wrote:
>>
>>>what about rsa header files? document that any pkcs#12 using application
>>>needs a gpl exception (like using openssl does)? I don't see any other
>>>option.
>>
>>it would be nice to get an official comment from the fsf on the
>>rsa vs. [l]gpl issue
>
>
> Since Mozilla is GPL (and also MPL but that is not important for my
> point) it suffers an even bigger problem. Mozilla CAN'T be GPL since
> it uses RSA files.
>
> Being unable to use OpenSC with a GPL application may not be a problem
> for many people. But removing Mozilla from Debian because of a licence
> issue is another problem. I guess it would make Debian, FSF, etc. move
> a bit more. I will bring the issue on debian-legal again.

sounds like you've opened Pandora's box ...

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Ludovic Rousseau
In reply to this post by Ludovic Rousseau
On 10/10/05, Nils Larsch <[hidden email]> wrote:
> Ludovic Rousseau wrote:
> ...
> > I will bring the issue on debian-legal again.
>
> in case you open a new thread on debian-legal: could you please
> post a link to it on opensc-internal or opensc-devel ?

My message is at [1]. It is a continuation of the thread started by Andreas.

I hope to see more reactions now that a big project, Mozilla, is involved.

Bye,

[1] http://lists.debian.org/debian-legal/2005/10/msg00067.html

--
  Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Andreas Jellinghaus-2
In reply to this post by Ludovic Rousseau
my view is:

mozilla is not an issue:
 - either mozilla does not exist, because it is forbidden to link mozilla
   source with libnss which includes the pkcs11 headers and thus the same
   clause opensc faces.
 - or mozilla has a waiver to allow that clause, in which case opensc with
   the same clause can be used, too.

Also I don't know of any other application that has a pkcs#11 interface
and does not use openssl. and openssl advertising clause is quite similar
to pkcs#11 header, so it should be possible to get such a clause, too.

wait, there is wpa_supplicant. we should mail to it's author and let
him know of the issue.

openssh is not an issue, as it uses opensc native.

openswan/freeswan/strongswan might be a problem. we should talk to those
people, too.

> Being unable to use OpenSC with a GPL application may not be a problem
> for many people. But removing Mozilla from Debian because of a licence
> issue is another problem. I guess it would make Debian, FSF, etc. move
> a bit more. I will bring the issue on debian-legal again.

creating awareness for the issue is a good thing.
but if the result would be dropping pkcs#11 support from
mozilla&co, it would be bad. lets hope nobody overreacts.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Peter Stuge
On Mon, Oct 10, 2005 at 09:24:35PM +0200, Andreas Jellinghaus wrote:
> Also I don't know of any other application that has a pkcs#11
> interface and does not use openssl.

[..]

> openssh is not an issue, as it uses opensc native.

There was a message sent to the openssh mailing list last week, the
poster had just written PKCS#11 support for OpenVPN and offered to
create a patch using the same code base for OpenSSH.

I asked if he had seen libp11 and he had indeed but rejected it
because he didn't find it complete enough.

There wasn't much response from the OpenSSH developers.


//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Andreas Jellinghaus-2
Hi Peter,

On Tuesday 11 October 2005 03:59, Peter Stuge wrote:
> There was a message sent to the openssh mailing list last week, the
> poster had just written PKCS#11 support for OpenVPN and offered to
> create a patch using the same code base for OpenSSH.

hmm, that would be very good. openssh code has a number of
issues (for example the agent does not proper pin check
and also it keeps the pin even if the card is removed).
and openssh needs patching anyway, since the main openssh
ssh does not ask for the pin at all.

> I asked if he had seen libp11 and he had indeed but rejected it
> because he didn't find it complete enough.

that is very true. it is in very early development.

> There wasn't much response from the OpenSSH developers.

no suprise from my side.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: TODO for beta2?

Andreas Steffen-2
In reply to this post by Andreas Jellinghaus-2
Andreas Jellinghaus wrote:

> my view is:
>
> mozilla is not an issue:
>  - either mozilla does not exist, because it is forbidden to link mozilla
>    source with libnss which includes the pkcs11 headers and thus the same
>    clause opensc faces.
>  - or mozilla has a waiver to allow that clause, in which case opensc with
>    the same clause can be used, too.
>
> Also I don't know of any other application that has a pkcs#11 interface
> and does not use openssl. and openssl advertising clause is quite similar
> to pkcs#11 header, so it should be possible to get such a clause, too.
>
> wait, there is wpa_supplicant. we should mail to it's author and let
> him know of the issue.
>
> openssh is not an issue, as it uses opensc native.
>
> openswan/freeswan/strongswan might be a problem. we should talk to those
> people, too.

FreeS/WAN and its successors Openswan and strongSwan has always had a
small chunk of code that wasn't licensed under the GPL. Excerpt from
the LICENSE file:

   Except for the DES library, MD5 code, and linux/net/ipsec/radij.c
   this software is under the GNU Public License, see the file COPYING.
   See the file CREDITS for details on origins of more of the code.

   The DES library is under a BSD style license, see
         linux/crypto/ciphers/des/COPYRIGHT.
   Note that this software has a advertising clause in it.

   The MD5 implementation is from RSADSI, so this package must include
   the following phrase:  "derived from the RSA Data Security, Inc. MD5
   Message-Digest Algorithm".  It is not under the GPL; see details in
   linux/net/ipsec/ipsec_md5c.c.

   The linux/net/ipsec/radij.c code is derived from BSD 4.4lite code
   from sys/net/radix.c.

   In addition to the terms set out under the GPL, permission is granted
   to link the software against the libdes, md5c.c, and radij.c librarie
   just mentioned.

Therefore I think that it will be sufficient to add a similar notice
concerning RSA's PKCS#11 header files.

>
>>Being unable to use OpenSC with a GPL application may not be a problem
>>for many people. But removing Mozilla from Debian because of a licence
>>issue is another problem. I guess it would make Debian, FSF, etc. move
>>a bit more. I will bring the issue on debian-legal again.
>
>
> creating awareness for the issue is a good thing.
> but if the result would be dropping pkcs#11 support from
> mozilla&co, it would be bad. lets hope nobody overreacts.
>
> Regards, Andreas

Kind regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Z├╝richweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel