bad bignum encoding for curve25519-sha256 at libssh.org

mancha mancha1 at zoho.com
Thu Apr 24 12:24:39 EST 2014


On Thu, Apr 24, 2014 at 11:15:49AM +1000, Damien Miller wrote:
> On Wed, 23 Apr 2014, Bryan Drewery wrote:
> 
> > Am I the only one who finds a bugfix non-release via unsigned mail with
> > an inline patch a problem?
> 
> It's only a problem if you can't/won't read the code.
> 
> -d

I don't think Bryan's comment is without merit. When I saw the ML patch
I reconstructed it from commits in portable's git repo for my own peace
of mind [1].

Would it be possible to have "official" patches provided via the ML be
PGP-signed in the future? I think many would appreciate it.

--mancha

PS Also, not sure what git you use on mindrot but by way of FYI, as of
version 1.7.9, git allows PGP signing individual commits (e.g. git
commit -S -m "blah").

=========
[1] Ingredients of Curve25519 bugfix patch:
https://anongit.mindrot.org/openssh.git/commit/?id=adbfdbbdcc
https://anongit.mindrot.org/openssh.git/commit/?id=9395b28223
https://anongit.mindrot.org/openssh.git/commit/?id=0e6b67423b
https://anongit.mindrot.org/openssh.git/commit/?id=b628cc4c3e
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20140424/0beaa195/attachment.bin>


More information about the openssh-unix-dev mailing list