[opam-devel] [ocaml-infra] expiration SSL certificate
daniel.buenzli at erratique.ch
Tue Sep 13 12:42:24 BST 2016
On Tuesday 13 September 2016 at 12:56, David Sheets wrote:
> > "Note that yojson never checks the encoding of strings."
> This refers to the internal string representation.
Please, check your facts.
> It's not clear to me why or how this will result in users "being sorry" for using a
> library in order to get a certificate from a (trusted) CA.
Any yojson user might end up being sorry at some point and I have said this for a long time . There are quite a few scenarios where you could be bitten by this behaviour since it invalidates invariants you may think hold about a string that was decoded about a standard compliant JSON parser (like absence of NULL byte in the original string -- note that decoded strings reencoded to UTF-8 may have null bytes because U+0000 is allowed via *escape*). Now store that original string somewhere and think about the fact that most OCaml's system APIs were vulnerable to NULL byte injection until recently (and I'm sure a lot of other C bindings are).
> Telling them is certainly more effective (and socially responsible) than
> spreading FUD on an unrelated mailing list.
I'm not spreading FUD I'm talking about a reality, on mailing list were this project was mentioned to be used. And sorry I don't have time to loose with random people toying in a random, unreleased, github repository.
> I still don't think you've demonstrated insecurity (except perhaps your own).
Security is a mindset. You are showing that you are not having it and I personally feel that neither does an individual that uses insecure libraries to build security infrastructure. Now trust who you want I just happens that I have different expectations about the quality of the code I use.
More information about the opam-devel