Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 30 Dec 2014 06:32:13 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-users@...ts.openwall.com
Subject: Owl future (was: owl-startup)

On Mon, Dec 29, 2014 at 10:38:36PM +0300, (GalaxyMaster) wrote:
> I have a feeling that Owl is currently stagnating

Obviously it is.

> since there are no active packagers

Mostly not for that reason.  In fact, that one may be a consequence of
other reasons.  There are people who could contribute stuff, but if we
opened Owl up for contributions without close involvement from key Owl
developers, the resulting distro would make little sense to me.

> and that if we do not act in the nearest future the
> effort required to recover and to bring Owl up-to-date would be
> unjustified.  In my opinion, we are approaching a point where it's just
> much easier to take the best we have in our distribution and apply it on
> top of a modern, mainstream one -- and my guess is that we won't lose
> much.  Maybe, this is what we should do after all.

Let's look at this differently: what was the value of Owl so far?
I think it was primarily in trying out and demonstrating to others some
approaches, some of which have now been adopted by other systems (and
some changes went upstream).

I think the positive impact of this can be greater.  Maybe some of us
could actively contribute to other distros e.g. to make them SUID-less?

For example, I think Alpine Linux may be a good distro to contribute to.
Surely there are others.  Maybe also some *BSDs.

As to contributing to mainstream distros, I don't mind, but frankly I
don't feel our userland security hardening enhancements are of as much
value when mixed with a lot of other stuff in a distro like Fedora or
Ubuntu.  The value would probably be in demonstrating those approaches
via the more popular mainstream distros, so the approaches could again
be cherry-picked by some distro where there are not as many other
"gaping holes" as in a mainstream one.  For example, when Mandriva went
to use our tcb, I think the value was in greater exposure of this
approach for potential reuse where it's more helpful, and to a lesser
extent in direct benefit to Mandriva users (where there are plenty of
unrelated SUID root programs anyway).

Having our approaches adopted by multiple distros also side-steps the
issue of systemd.  The distros may vary in this aspect.

I am not suggesting that we maintain forks of other distros as Openwall
projects.  (galaxy@ might have implied that, for some specific distro.)
Rather, I am suggesting that if some of us want to, and there are other
distros that welcome such contributions, the individual Owl developers
and users could contribute to those distros, and this sort of activity
would make sense to me.  As to Openwall's role in this, I am not sure.

Finally, as to the future of Owl itself, we need to know why we'd be
continuing to put effort into Owl.  Do we have more new approaches to
demo to others in this way, or would we be playing catch-up?  I think it
might be mostly the latter.  There are things other hardened distros did
and we didn't do yet, so we can merge those in and create a distro that
is in some ways better overall.  (In fact, this was the plan a couple of
years ago, but we didn't proceed to execute on it much yet.)  However,
we would not demo much new in this way, except for the combination of
what we already had and what others already had, and along with newer
upstream software versions.  Is demo'ing this combination worth the
effort?  Would it inspire others to do anything better?  Is it worth the
effort merely for actual use of it during the period that we'd be
maintaining it and keeping it up-to-date?

I think Owl is, and will be (until EOL'ed), one of Openwall's several
projects (not "the main project").  There are other things I'd like to
work on (as well or instead).  So if Owl is primarily for its actual use
while it's maintained, rather than for indirect positive impact on other
projects, this means that personally I will want to limit my time spent
on Owl and to spend more of my time on our other projects instead
(including some future ones).  I've been doing just that lately.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.