Port of Cryptography to Pharo

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
50 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Port of Cryptography to Pharo

Mariano Martinez Peck
I don't know if there is anyone of the developers of the package Cryptography but is someone is willing to do the port of it to Pharo? Most tests are break and it seems not to work because lots of  Cryptography methods where in classes like SmallInteger and these methods were removed in Pharo.

Regards,

Mariano

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
The most recent post on the crytography mailing list starts out as follows:
 
Since the Cryptography Team doesn't exists anymore, the Cryptography package is not maintained by anyone. The SSL implementation doesn't allow easy debugging, you can't just turn on logging to see what's happening. Following the state machine transitions should give you the answer why the handshake isn't succeding. It might be related to certificates or TLS->SSL3 fallback. If I were you, I would go with curl.
I think it is time to write a wrapper around open SSL in addition to looking at the curl plugin.  Trying to write cryptography code from scratch and get and keep it right is a huge effort, and pretty avoidable, and IMHO, better avoided by letting others do the job.  Ever read Sun Tzu?
 
Bill
 
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Mariano Martinez Peck
Sent: Thursday, May 21, 2009 8:51 PM
To: Pharo Development
Subject: [Pharo-project] Port of Cryptography to Pharo

I don't know if there is anyone of the developers of the package Cryptography but is someone is willing to do the port of it to Pharo? Most tests are break and it seems not to work because lots of  Cryptography methods where in classes like SmallInteger and these methods were removed in Pharo.

Regards,

Mariano

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Stéphane Ducasse
In reply to this post by Mariano Martinez Peck
The cryptogarphy package is important.
Now I do not see why we would have removed methods from SmallInteger  
(may be with the last license cleaning)
Could you tell us the methods that are missing?

Stef

On May 22, 2009, at 3:51 AM, Mariano Martinez Peck wrote:

> I don't know if there is anyone of the developers of the package  
> Cryptography but is someone is willing to do the port of it to  
> Pharo? Most tests are break and it seems not to work because lots  
> of  Cryptography methods where in classes like SmallInteger and  
> these methods were removed in Pharo.
>
> Regards,
>
> Mariano
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Fernando olivero
In reply to this post by Schwab,Wilhelm K
Just a comment, 

you could use the new  AlienFFI framework to comunicate with curl. 
Or reify any C library you want in Pharo.

Fernando


On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:

The most recent post on the crytography mailing list starts out as follows:
 
Since the Cryptography Team doesn't exists anymore, the Cryptography package is not maintained by anyone. The SSL implementation doesn't allow easy debugging, you can't just turn on logging to see what's happening. Following the state machine transitions should give you the answer why the handshake isn't succeding. It might be related to certificates or TLS->SSL3 fallback. If I were you, I would go with curl.
I think it is time to write a wrapper around open SSL in addition to looking at the curl plugin.  Trying to write cryptography code from scratch and get and keep it right is a huge effort, and pretty avoidable, and IMHO, better avoided by letting others do the job.  Ever read Sun Tzu?
 
Bill
 
 


From: [hidden email] [[hidden email]] On Behalf Of Mariano Martinez Peck
Sent: Thursday, May 21, 2009 8:51 PM
To: Pharo Development
Subject: [Pharo-project] Port of Cryptography to Pharo

I don't know if there is anyone of the developers of the package Cryptography but is someone is willing to do the port of it to Pharo? Most tests are break and it seems not to work because lots of  Cryptography methods where in classes like SmallInteger and these methods were removed in Pharo.

Regards,

Mariano
<ATT00001.txt>


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
Agreed: I mentioned both curl and OpenSSL - we should embrace both.  AFACT, the cryptography package is a thing of the past, and we should look to active projects.  Tell me where I'm wrong, please.
 
Another reality, fair or not: if we were to take on the enormous burden of maintaining the cypto package, there would always be questions about security holes we left open.  The same will be true of OpenSSL, but there is (not always fair) credibility in numbers widely known projects.  There will be would-be users of Pharo who will want OpenSSL for its reputation, and who would question a home-grown solution.
 
Bill
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Fernando olivero
Sent: Friday, May 22, 2009 4:20 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Just a comment, 

you could use the new  AlienFFI framework to comunicate with curl. 
Or reify any C library you want in Pharo.

Fernando


On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:

The most recent post on the crytography mailing list starts out as follows:
 
Since the Cryptography Team doesn't exists anymore, the Cryptography package is not maintained by anyone. The SSL implementation doesn't allow easy debugging, you can't just turn on logging to see what's happening. Following the state machine transitions should give you the answer why the handshake isn't succeding. It might be related to certificates or TLS->SSL3 fallback. If I were you, I would go with curl.
I think it is time to write a wrapper around open SSL in addition to looking at the curl plugin.  Trying to write cryptography code from scratch and get and keep it right is a huge effort, and pretty avoidable, and IMHO, better avoided by letting others do the job.  Ever read Sun Tzu?
 
Bill
 
 


From: [hidden email] [[hidden email]] On Behalf Of Mariano Martinez Peck
Sent: Thursday, May 21, 2009 8:51 PM
To: Pharo Development
Subject: [Pharo-project] Port of Cryptography to Pharo

I don't know if there is anyone of the developers of the package Cryptography but is someone is willing to do the port of it to Pharo? Most tests are break and it seems not to work because lots of  Cryptography methods where in classes like SmallInteger and these methods were removed in Pharo.

Regards,

Mariano
<ATT00001.txt>


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Stéphane Ducasse
Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we  
> should look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous  
> burden of maintaining the cypto package, there would always be  
> questions about security holes we left open.  The same will be true  
> of OpenSSL, but there is (not always fair) credibility in numbers  
> widely known projects.  There will be would-be users of Pharo who  
> will want OpenSSL for its reputation, and who would question a home-
> grown solution.
>
> Bill
>
>
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as  
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the  
>> Cryptography package is not maintained by anyone. The SSL  
>> implementation doesn't allow easy debugging, you can't just turn on  
>> logging to see what's happening. Following the state machine  
>> transitions should give you the answer why the handshake isn't  
>> succeding. It might be related to certificates or TLS->SSL3  
>> fallback. If I were you, I would go with curl.
>> I think it is time to write a wrapper around open SSL in addition  
>> to looking at the curl plugin.  Trying to write cryptography code  
>> from scratch and get and keep it right is a huge effort, and pretty  
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package  
>> Cryptography but is someone is willing to do the port of it to  
>> Pharo? Most tests are break and it seems not to work because lots  
>> of  Cryptography methods where in classes like SmallInteger and  
>> these methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

ramiro.diaz.trepat
I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we  
> should look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous  
> burden of maintaining the cypto package, there would always be  
> questions about security holes we left open.  The same will be true  
> of OpenSSL, but there is (not always fair) credibility in numbers  
> widely known projects.  There will be would-be users of Pharo who  
> will want OpenSSL for its reputation, and who would question a home-
> grown solution.
>
> Bill
>
>
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as  
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the  
>> Cryptography package is not maintained by anyone. The SSL  
>> implementation doesn't allow easy debugging, you can't just turn on  
>> logging to see what's happening. Following the state machine  
>> transitions should give you the answer why the handshake isn't  
>> succeding. It might be related to certificates or TLS->SSL3  
>> fallback. If I were you, I would go with curl.
>> I think it is time to write a wrapper around open SSL in addition  
>> to looking at the curl plugin.  Trying to write cryptography code  
>> from scratch and get and keep it right is a huge effort, and pretty  
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package  
>> Cryptography but is someone is willing to do the port of it to  
>> Pharo? Most tests are break and it seems not to work because lots  
>> of  Cryptography methods where in classes like SmallInteger and  
>> these methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Stéphane Ducasse
May be contact the developers to know.
May be this is not a lot of work to have a running version in pharo.

stef
On May 22, 2009, at 12:18 PM, Ramiro Diaz Trepat wrote:

> I'm really sorry to hear it is no longer being maintained.
> It was a necessary package to connect to properly set up Postgres  
> databases, that requiere sending password hashes with SHA-1.  We  
> will probably face this kind of need when interacting with the  
> outside world in general.
> It was a fantastic package, I wonder why the maintainers droped it.  
> I suppose maintaining crypto frameworks up to date, with no  
> vulnerabilities, is a lot of work.
> Sorry for venting out my sadnes to the list.
> Cheers
>
> r.
>
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Stéphane Ducasse
> Sent: 22 May 2009 11:08
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
> Ok I thought the cryptology package was working well and maintained.
>
> Stef
>
> On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:
>
>> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
>> AFACT, the cryptography package is a thing of the past, and we
>> should look to active projects.  Tell me where I'm wrong, please.
>>
>> Another reality, fair or not: if we were to take on the enormous
>> burden of maintaining the cypto package, there would always be
>> questions about security holes we left open.  The same will be true
>> of OpenSSL, but there is (not always fair) credibility in numbers
>> widely known projects.  There will be would-be users of Pharo who
>> will want OpenSSL for its reputation, and who would question a home-
>> grown solution.
>>
>> Bill
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Fernando olivero
>> Sent: Friday, May 22, 2009 4:20 AM
>> To: [hidden email]
>> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>>
>>
>> Just a comment,
>>
>> you could use the new  AlienFFI framework to comunicate with curl.
>> Or reify any C library you want in Pharo.
>>
>> Fernando
>>
>>
>> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>>
>>> The most recent post on the crytography mailing list starts out as
>>> follows:
>>>
>>> Since the Cryptography Team doesn't exists anymore, the
>>> Cryptography package is not maintained by anyone. The SSL
>>> implementation doesn't allow easy debugging, you can't just turn on
>>> logging to see what's happening. Following the state machine
>>> transitions should give you the answer why the handshake isn't
>>> succeding. It might be related to certificates or TLS->SSL3
>>> fallback. If I were you, I would go with curl.
>>> I think it is time to write a wrapper around open SSL in addition
>>> to looking at the curl plugin.  Trying to write cryptography code
>>> from scratch and get and keep it right is a huge effort, and pretty
>>> avoidable, and IMHO, better avoided by letting others do the job.
>>> Ever read Sun Tzu?
>>>
>>> Bill
>>>
>>>
>>>
>>> From: [hidden email] [mailto:[hidden email]
>>> ] On Behalf Of Mariano Martinez Peck
>>> Sent: Thursday, May 21, 2009 8:51 PM
>>> To: Pharo Development
>>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>>
>>> I don't know if there is anyone of the developers of the package
>>> Cryptography but is someone is willing to do the port of it to
>>> Pharo? Most tests are break and it seems not to work because lots
>>> of  Cryptography methods where in classes like SmallInteger and
>>> these methods were removed in Pharo.
>>>
>>> Regards,
>>>
>>> Mariano
>>> <ATT00001.txt>
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
> This email is confidential and subject to important disclaimers and
> conditions including on offers for the purchase or sale of
> securities, accuracy and completeness of information, viruses,
> confidentiality, legal privilege, and legal entity disclaimers,
> available at http://www.jpmorgan.com/pages/disclosures/email.
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
In reply to this post by Stéphane Ducasse
Stef,

I thought so too until a while ago, but it appears to be long gone.  I would enjoy being shown otherwise.  However, I still think there is good reason to expose and promote both curl and OpenSSL because they will draw "customers."

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: Friday, May 22, 2009 5:08 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of  
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
In reply to this post by ramiro.diaz.trepat
Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of  
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Mariano Martinez Peck
In reply to this post by ramiro.diaz.trepat


On Fri, May 22, 2009 at 9:18 AM, Ramiro Diaz Trepat <[hidden email]> wrote:
I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.

Yes. That's why I saw it. I am trying to make Glorp to work in Pharo, but as you know Glorp in Squeak only works with Postgres. And the native postgres driver requieres cryptography package when you use md5 :(

Just for now, I disable md5 from my postgres and use "password" auth-method. With this, cryptography is not needed. However, this is not an option in a production enviorment.

Cheers,

Mariano
 

It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we
> should look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true
> of OpenSSL, but there is (not always fair) credibility in numbers
> widely known projects.  There will be would-be users of Pharo who
> will want OpenSSL for its reputation, and who would question a home-
> grown solution.
>
> Bill
>
>
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the
>> Cryptography package is not maintained by anyone. The SSL
>> implementation doesn't allow easy debugging, you can't just turn on
>> logging to see what's happening. Following the state machine
>> transitions should give you the answer why the handshake isn't
>> succeding. It might be related to certificates or TLS->SSL3
>> fallback. If I were you, I would go with curl.
>> I think it is time to write a wrapper around open SSL in addition
>> to looking at the curl plugin.  Trying to write cryptography code
>> from scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to
>> Pharo? Most tests are break and it seems not to work because lots
>> of  Cryptography methods where in classes like SmallInteger and
>> these methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Mariano Martinez Peck
In reply to this post by Schwab,Wilhelm K


On Fri, May 22, 2009 at 11:39 AM, Schwab,Wilhelm K <[hidden email]> wrote:
Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill why don't you propose this for a ESUG SummerTalk project ?

 

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

ramiro.diaz.trepat
In reply to this post by Schwab,Wilhelm K
Hi Bill, in spite that I believe that the original cryptography package was a great piece of work, I completely agree with you in both matters: 1) we will need a crypto package soon, 2) If we want to be standing in the shoulders of giants, we better stand on OpenSSL :)
Cheers.

r



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Schwab,Wilhelm K
Sent: 22 May 2009 13:39
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of  
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
In reply to this post by Mariano Martinez Peck
What is involved?
 
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Mariano Martinez Peck
Sent: Friday, May 22, 2009 7:48 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo



On Fri, May 22, 2009 at 11:39 AM, Schwab,Wilhelm K <[hidden email]> wrote:
Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill why don't you propose this for a ESUG SummerTalk project ?

 

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Schwab,Wilhelm K
In reply to this post by ramiro.diaz.trepat
Ramiro,

They do deserve credit for persistence and skill.  I *never* said they did bad work - only that they made a bad decision to reinvent vs. integrate.  It's amazaing how much they accomplished.  However, I suspect the incredible amount of work involved lead to burnout and a moribund project.

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 8:36 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Hi Bill, in spite that I believe that the original cryptography package was a great piece of work, I completely agree with you in both matters: 1) we will need a crypto package soon, 2) If we want to be standing in the shoulders of giants, we better stand on OpenSSL :) Cheers.

r



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Schwab,Wilhelm K
Sent: 22 May 2009 13:39
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.  
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.  
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.  

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Mariano Martinez Peck
In reply to this post by Schwab,Wilhelm K
You can see this page: http://www.esug.org/Promotion/SummerTalk


2009/5/22 Schwab,Wilhelm K <[hidden email]>
What is involved?
 
 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Mariano Martinez Peck
Sent: Friday, May 22, 2009 7:48 AM

To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo



On Fri, May 22, 2009 at 11:39 AM, Schwab,Wilhelm K <[hidden email]> wrote:
Ramiro,

*The* cryptography package as written was not necessary to anything; **a** crytography package is indeed necessary for lots of things, no argment there.  OpenSSL can do the hashes you require courtesy of FFI/Alien or a wrapping plugin.  We'll get there, and hopefully not by re-inventing the wheel as the original team chose to do; sorry, but it's a tricky area where mistakes are easy to make and can be catastrophic.

Bill why don't you propose this for a ESUG SummerTalk project ?

 

Bill


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Ramiro Diaz Trepat
Sent: Friday, May 22, 2009 5:19 AM
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.
It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we should
> look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true of
> OpenSSL, but there is (not always fair) credibility in numbers widely
> known projects.  There will be would-be users of Pharo who will want
> OpenSSL for its reputation, and who would question a home- grown
> solution.
>
> Bill
>
>
> From: [hidden email]
> [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the Cryptography
>> package is not maintained by anyone. The SSL implementation doesn't
>> allow easy debugging, you can't just turn on logging to see what's
>> happening. Following the state machine transitions should give you
>> the answer why the handshake isn't succeding. It might be related to
>> certificates or TLS->SSL3 fallback. If I were you, I would go with
>> curl.
>> I think it is time to write a wrapper around open SSL in addition to
>> looking at the curl plugin.  Trying to write cryptography code from
>> scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to Pharo?
>> Most tests are break and it seems not to work because lots of
>> Cryptography methods where in classes like SmallInteger and these
>> methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and conditions including on offers for the purchase or sale of securities, accuracy and completeness of information, viruses, confidentiality, legal privilege, and legal entity disclaimers, available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Jan van de Sandt
In reply to this post by Mariano Martinez Peck
Hello,

I faced the same problem with Cloudfork-AWS. This project required the Cryptography package for generating the signatures using SHA and for generating MD5 hash values.

When I had problems loading the package in Pharo and I learned that the package was no longer maintained I copied the classes I required to a Cloudfork package. I needed the MD5, SHA1 and SHA256 classes. I renamed them to CFMD5, CFSHA1 and CFSHA256, I also prefixed all the methods in the required class extensions with cf. For example ThirtyTwoBitRegister>>cfBitShift: anInteger. You can use a simular approach for Glorp.

Jan.

PS: Another dependency of Cloudfork is a HTTP client. I'm now playing around with the CurlPlugin, this plugin works very well. Things like supporting https become real easy

2009/5/22 Mariano Martinez Peck <[hidden email]>


On Fri, May 22, 2009 at 9:18 AM, Ramiro Diaz Trepat <[hidden email]> wrote:
I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.

Yes. That's why I saw it. I am trying to make Glorp to work in Pharo, but as you know Glorp in Squeak only works with Postgres. And the native postgres driver requieres cryptography package when you use md5 :(

Just for now, I disable md5 from my postgres and use "password" auth-method. With this, cryptography is not needed. However, this is not an option in a production enviorment.

Cheers,

Mariano
 

It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we
> should look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true
> of OpenSSL, but there is (not always fair) credibility in numbers
> widely known projects.  There will be would-be users of Pharo who
> will want OpenSSL for its reputation, and who would question a home-
> grown solution.
>
> Bill
>
>
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the
>> Cryptography package is not maintained by anyone. The SSL
>> implementation doesn't allow easy debugging, you can't just turn on
>> logging to see what's happening. Following the state machine
>> transitions should give you the answer why the handshake isn't
>> succeding. It might be related to certificates or TLS->SSL3
>> fallback. If I were you, I would go with curl.
>> I think it is time to write a wrapper around open SSL in addition
>> to looking at the curl plugin.  Trying to write cryptography code
>> from scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to
>> Pharo? Most tests are break and it seems not to work because lots
>> of  Cryptography methods where in classes like SmallInteger and
>> these methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Stéphane Ducasse
Hi guys

Why don;t you join forces and create a Cryptography package which work  
for pharo and for you.
Mariano I still would love to know the method of integer that are  
missing

Stef

On May 22, 2009, at 4:47 PM, Jan van de Sandt wrote:

> Hello,
>
> I faced the same problem with Cloudfork-AWS. This project required  
> the Cryptography package for generating the signatures using SHA and  
> for generating MD5 hash values.
>
> When I had problems loading the package in Pharo and I learned that  
> the package was no longer maintained I copied the classes I required  
> to a Cloudfork package. I needed the MD5, SHA1 and SHA256 classes. I  
> renamed them to CFMD5, CFSHA1 and CFSHA256, I also prefixed all the  
> methods in the required class extensions with cf. For example  
> ThirtyTwoBitRegister>>cfBitShift: anInteger. You can use a simular  
> approach for Glorp.
>
> Jan.
>
> PS: Another dependency of Cloudfork is a HTTP client. I'm now  
> playing around with the CurlPlugin, this plugin works very well.  
> Things like supporting https become real easy
>
> 2009/5/22 Mariano Martinez Peck <[hidden email]>
>
>
> On Fri, May 22, 2009 at 9:18 AM, Ramiro Diaz Trepat <[hidden email]
> > wrote:
> I'm really sorry to hear it is no longer being maintained.
> It was a necessary package to connect to properly set up Postgres  
> databases, that requiere sending password hashes with SHA-1.  We  
> will probably face this kind of need when interacting with the  
> outside world in general.
>
> Yes. That's why I saw it. I am trying to make Glorp to work in  
> Pharo, but as you know Glorp in Squeak only works with Postgres. And  
> the native postgres driver requieres cryptography package when you  
> use md5 :(
>
> Just for now, I disable md5 from my postgres and use "password" auth-
> method. With this, cryptography is not needed. However, this is not  
> an option in a production enviorment.
>
> Cheers,
>
> Mariano
>
>
> It was a fantastic package, I wonder why the maintainers droped it.  
> I suppose maintaining crypto frameworks up to date, with no  
> vulnerabilities, is a lot of work.
> Sorry for venting out my sadnes to the list.
> Cheers
>
> r.
>
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Stéphane Ducasse
> Sent: 22 May 2009 11:08
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
> Ok I thought the cryptology package was working well and maintained.
>
> Stef
>
> On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:
>
> > Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> > AFACT, the cryptography package is a thing of the past, and we
> > should look to active projects.  Tell me where I'm wrong, please.
> >
> > Another reality, fair or not: if we were to take on the enormous
> > burden of maintaining the cypto package, there would always be
> > questions about security holes we left open.  The same will be true
> > of OpenSSL, but there is (not always fair) credibility in numbers
> > widely known projects.  There will be would-be users of Pharo who
> > will want OpenSSL for its reputation, and who would question a home-
> > grown solution.
> >
> > Bill
> >
> >
> > From: [hidden email] [mailto:[hidden email]
> > ] On Behalf Of Fernando olivero
> > Sent: Friday, May 22, 2009 4:20 AM
> > To: [hidden email]
> > Subject: Re: [Pharo-project] Port of Cryptography to Pharo
> >
> >
> > Just a comment,
> >
> > you could use the new  AlienFFI framework to comunicate with curl.
> > Or reify any C library you want in Pharo.
> >
> > Fernando
> >
> >
> > On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
> >
> >> The most recent post on the crytography mailing list starts out as
> >> follows:
> >>
> >> Since the Cryptography Team doesn't exists anymore, the
> >> Cryptography package is not maintained by anyone. The SSL
> >> implementation doesn't allow easy debugging, you can't just turn on
> >> logging to see what's happening. Following the state machine
> >> transitions should give you the answer why the handshake isn't
> >> succeding. It might be related to certificates or TLS->SSL3
> >> fallback. If I were you, I would go with curl.
> >> I think it is time to write a wrapper around open SSL in addition
> >> to looking at the curl plugin.  Trying to write cryptography code
> >> from scratch and get and keep it right is a huge effort, and pretty
> >> avoidable, and IMHO, better avoided by letting others do the job.
> >> Ever read Sun Tzu?
> >>
> >> Bill
> >>
> >>
> >>
> >> From: [hidden email] [mailto:[hidden email]
> >> ] On Behalf Of Mariano Martinez Peck
> >> Sent: Thursday, May 21, 2009 8:51 PM
> >> To: Pharo Development
> >> Subject: [Pharo-project] Port of Cryptography to Pharo
> >>
> >> I don't know if there is anyone of the developers of the package
> >> Cryptography but is someone is willing to do the port of it to
> >> Pharo? Most tests are break and it seems not to work because lots
> >> of  Cryptography methods where in classes like SmallInteger and
> >> these methods were removed in Pharo.
> >>
> >> Regards,
> >>
> >> Mariano
> >> <ATT00001.txt>
> >
> > _______________________________________________
> > Pharo-project mailing list
> > [hidden email]
> > http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
> This email is confidential and subject to important disclaimers and
> conditions including on offers for the purchase or sale of
> securities, accuracy and completeness of information, viruses,
> confidentiality, legal privilege, and legal entity disclaimers,
> available at http://www.jpmorgan.com/pages/disclosures/email.
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Mariano Martinez Peck
In reply to this post by Jan van de Sandt


2009/5/22 Jan van de Sandt <[hidden email]>
Hello,

I faced the same problem with Cloudfork-AWS. This project required the Cryptography package for generating the signatures using SHA and for generating MD5 hash values.

When I had problems loading the package in Pharo and I learned that the package was no longer maintained I copied the classes I required to a Cloudfork package. I needed the MD5, SHA1 and SHA256 classes. I renamed them to CFMD5, CFSHA1 and CFSHA256, I also prefixed all the methods in the required class extensions with cf. For example ThirtyTwoBitRegister>>cfBitShift: anInteger. You can use a simular approach for Glorp.

Thanks for your help. I thought the same solution. Even with 2 simple methods extension I get Cryptography working for the postgresql driver. But because I just fixed the md5 problem, not all of them.
 


Jan.

PS: Another dependency of Cloudfork is a HTTP client. I'm now playing around with the CurlPlugin, this plugin works very well. Things like supporting https become real easy

2009/5/22 Mariano Martinez Peck <[hidden email]>



On Fri, May 22, 2009 at 9:18 AM, Ramiro Diaz Trepat <[hidden email]> wrote:
I'm really sorry to hear it is no longer being maintained.
It was a necessary package to connect to properly set up Postgres databases, that requiere sending password hashes with SHA-1.  We will probably face this kind of need when interacting with the outside world in general.

Yes. That's why I saw it. I am trying to make Glorp to work in Pharo, but as you know Glorp in Squeak only works with Postgres. And the native postgres driver requieres cryptography package when you use md5 :(

Just for now, I disable md5 from my postgres and use "password" auth-method. With this, cryptography is not needed. However, this is not an option in a production enviorment.

Cheers,

Mariano
 

It was a fantastic package, I wonder why the maintainers droped it.  I suppose maintaining crypto frameworks up to date, with no vulnerabilities, is a lot of work.
Sorry for venting out my sadnes to the list.
Cheers

r.




-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Stéphane Ducasse
Sent: 22 May 2009 11:08
To: [hidden email]
Subject: Re: [Pharo-project] Port of Cryptography to Pharo

Ok I thought the cryptology package was working well and maintained.

Stef

On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:

> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
> AFACT, the cryptography package is a thing of the past, and we
> should look to active projects.  Tell me where I'm wrong, please.
>
> Another reality, fair or not: if we were to take on the enormous
> burden of maintaining the cypto package, there would always be
> questions about security holes we left open.  The same will be true
> of OpenSSL, but there is (not always fair) credibility in numbers
> widely known projects.  There will be would-be users of Pharo who
> will want OpenSSL for its reputation, and who would question a home-
> grown solution.
>
> Bill
>
>
> From: [hidden email] [mailto:[hidden email]
> ] On Behalf Of Fernando olivero
> Sent: Friday, May 22, 2009 4:20 AM
> To: [hidden email]
> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>
>
> Just a comment,
>
> you could use the new  AlienFFI framework to comunicate with curl.
> Or reify any C library you want in Pharo.
>
> Fernando
>
>
> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>
>> The most recent post on the crytography mailing list starts out as
>> follows:
>>
>> Since the Cryptography Team doesn't exists anymore, the
>> Cryptography package is not maintained by anyone. The SSL
>> implementation doesn't allow easy debugging, you can't just turn on
>> logging to see what's happening. Following the state machine
>> transitions should give you the answer why the handshake isn't
>> succeding. It might be related to certificates or TLS->SSL3
>> fallback. If I were you, I would go with curl.
>> I think it is time to write a wrapper around open SSL in addition
>> to looking at the curl plugin.  Trying to write cryptography code
>> from scratch and get and keep it right is a huge effort, and pretty
>> avoidable, and IMHO, better avoided by letting others do the job.
>> Ever read Sun Tzu?
>>
>> Bill
>>
>>
>>
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Mariano Martinez Peck
>> Sent: Thursday, May 21, 2009 8:51 PM
>> To: Pharo Development
>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>
>> I don't know if there is anyone of the developers of the package
>> Cryptography but is someone is willing to do the port of it to
>> Pharo? Most tests are break and it seems not to work because lots
>> of  Cryptography methods where in classes like SmallInteger and
>> these methods were removed in Pharo.
>>
>> Regards,
>>
>> Mariano
>> <ATT00001.txt>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
This email is confidential and subject to important disclaimers and
conditions including on offers for the purchase or sale of
securities, accuracy and completeness of information, viruses,
confidentiality, legal privilege, and legal entity disclaimers,
available at http://www.jpmorgan.com/pages/disclosures/email.

_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
Reply | Threaded
Open this post in threaded view
|

Re: Port of Cryptography to Pharo

Adrian Lienhard
In reply to this post by Stéphane Ducasse
I think we should add MD5 and SHA1 of Cryptography to Pharo-core.  
These are quite basic and often used hash functions. In the past I  
also copied the MD5 class over from the Cryptography package.

Adrian

On May 22, 2009, at 16:54 , Stéphane Ducasse wrote:

> Hi guys
>
> Why don;t you join forces and create a Cryptography package which work
> for pharo and for you.
> Mariano I still would love to know the method of integer that are
> missing
>
> Stef
>
> On May 22, 2009, at 4:47 PM, Jan van de Sandt wrote:
>
>> Hello,
>>
>> I faced the same problem with Cloudfork-AWS. This project required
>> the Cryptography package for generating the signatures using SHA and
>> for generating MD5 hash values.
>>
>> When I had problems loading the package in Pharo and I learned that
>> the package was no longer maintained I copied the classes I required
>> to a Cloudfork package. I needed the MD5, SHA1 and SHA256 classes. I
>> renamed them to CFMD5, CFSHA1 and CFSHA256, I also prefixed all the
>> methods in the required class extensions with cf. For example
>> ThirtyTwoBitRegister>>cfBitShift: anInteger. You can use a simular
>> approach for Glorp.
>>
>> Jan.
>>
>> PS: Another dependency of Cloudfork is a HTTP client. I'm now
>> playing around with the CurlPlugin, this plugin works very well.
>> Things like supporting https become real easy
>>
>> 2009/5/22 Mariano Martinez Peck <[hidden email]>
>>
>>
>> On Fri, May 22, 2009 at 9:18 AM, Ramiro Diaz Trepat <[hidden email]
>>> wrote:
>> I'm really sorry to hear it is no longer being maintained.
>> It was a necessary package to connect to properly set up Postgres
>> databases, that requiere sending password hashes with SHA-1.  We
>> will probably face this kind of need when interacting with the
>> outside world in general.
>>
>> Yes. That's why I saw it. I am trying to make Glorp to work in
>> Pharo, but as you know Glorp in Squeak only works with Postgres. And
>> the native postgres driver requieres cryptography package when you
>> use md5 :(
>>
>> Just for now, I disable md5 from my postgres and use "password" auth-
>> method. With this, cryptography is not needed. However, this is not
>> an option in a production enviorment.
>>
>> Cheers,
>>
>> Mariano
>>
>>
>> It was a fantastic package, I wonder why the maintainers droped it.
>> I suppose maintaining crypto frameworks up to date, with no
>> vulnerabilities, is a lot of work.
>> Sorry for venting out my sadnes to the list.
>> Cheers
>>
>> r.
>>
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]
>> ] On Behalf Of Stéphane Ducasse
>> Sent: 22 May 2009 11:08
>> To: [hidden email]
>> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>>
>> Ok I thought the cryptology package was working well and maintained.
>>
>> Stef
>>
>> On May 22, 2009, at 11:58 AM, Schwab,Wilhelm K wrote:
>>
>>> Agreed: I mentioned both curl and OpenSSL - we should embrace both.
>>> AFACT, the cryptography package is a thing of the past, and we
>>> should look to active projects.  Tell me where I'm wrong, please.
>>>
>>> Another reality, fair or not: if we were to take on the enormous
>>> burden of maintaining the cypto package, there would always be
>>> questions about security holes we left open.  The same will be true
>>> of OpenSSL, but there is (not always fair) credibility in numbers
>>> widely known projects.  There will be would-be users of Pharo who
>>> will want OpenSSL for its reputation, and who would question a home-
>>> grown solution.
>>>
>>> Bill
>>>
>>>
>>> From: [hidden email] [mailto:[hidden email]
>>> ] On Behalf Of Fernando olivero
>>> Sent: Friday, May 22, 2009 4:20 AM
>>> To: [hidden email]
>>> Subject: Re: [Pharo-project] Port of Cryptography to Pharo
>>>
>>>
>>> Just a comment,
>>>
>>> you could use the new  AlienFFI framework to comunicate with curl.
>>> Or reify any C library you want in Pharo.
>>>
>>> Fernando
>>>
>>>
>>> On May 22, 2009, at 5:04 AM, Schwab,Wilhelm K wrote:
>>>
>>>> The most recent post on the crytography mailing list starts out as
>>>> follows:
>>>>
>>>> Since the Cryptography Team doesn't exists anymore, the
>>>> Cryptography package is not maintained by anyone. The SSL
>>>> implementation doesn't allow easy debugging, you can't just turn on
>>>> logging to see what's happening. Following the state machine
>>>> transitions should give you the answer why the handshake isn't
>>>> succeding. It might be related to certificates or TLS->SSL3
>>>> fallback. If I were you, I would go with curl.
>>>> I think it is time to write a wrapper around open SSL in addition
>>>> to looking at the curl plugin.  Trying to write cryptography code
>>>> from scratch and get and keep it right is a huge effort, and pretty
>>>> avoidable, and IMHO, better avoided by letting others do the job.
>>>> Ever read Sun Tzu?
>>>>
>>>> Bill
>>>>
>>>>
>>>>
>>>> From: [hidden email] [mailto:[hidden email]
>>>> ] On Behalf Of Mariano Martinez Peck
>>>> Sent: Thursday, May 21, 2009 8:51 PM
>>>> To: Pharo Development
>>>> Subject: [Pharo-project] Port of Cryptography to Pharo
>>>>
>>>> I don't know if there is anyone of the developers of the package
>>>> Cryptography but is someone is willing to do the port of it to
>>>> Pharo? Most tests are break and it seems not to work because lots
>>>> of  Cryptography methods where in classes like SmallInteger and
>>>> these methods were removed in Pharo.
>>>>
>>>> Regards,
>>>>
>>>> Mariano
>>>> <ATT00001.txt>
>>>
>>> _______________________________________________
>>> Pharo-project mailing list
>>> [hidden email]
>>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>>
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>> This email is confidential and subject to important disclaimers and
>> conditions including on offers for the purchase or sale of
>> securities, accuracy and completeness of information, viruses,
>> confidentiality, legal privilege, and legal entity disclaimers,
>> available at http://www.jpmorgan.com/pages/disclosures/email.
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>>
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>>
>> _______________________________________________
>> Pharo-project mailing list
>> [hidden email]
>> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
>
>
> _______________________________________________
> Pharo-project mailing list
> [hidden email]
> http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project


_______________________________________________
Pharo-project mailing list
[hidden email]
http://lists.gforge.inria.fr/cgi-bin/mailman/listinfo/pharo-project
123