by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Aug 06 06:15
    coveralls commented #394
  • Aug 06 06:02
    coveralls commented #398
  • Aug 06 05:47
    adamreichold synchronize #394
  • Aug 06 05:47
    adamreichold synchronize #398
  • Aug 02 16:41
    coveralls commented #432
  • Aug 02 16:25
    klittlepage synchronize #432
  • Aug 01 07:24
    tasn commented #430
  • Jul 31 19:39
    klittlepage commented #374
  • Jul 31 19:01
    bors[bot] closed #418
  • Jul 31 19:01

    bors[bot] on master

    Add support for the AES256-GCM … Merge branch 'master' into aead… Merge #418 418: Add support fo… (compare)

  • Jul 31 19:01
    bors[bot] commented #418
  • Jul 31 18:44

    bors[bot] on staging.tmp

    (compare)

  • Jul 31 18:44

    bors[bot] on staging

    Add support for the AES256-GCM … Merge branch 'master' into aead… Merge #418 418: Add support fo… (compare)

  • Jul 31 18:44

    bors[bot] on staging.tmp

    Add support for the AES256-GCM … Merge branch 'master' into aead… [ci skip][skip ci][skip netlify… (compare)

  • Jul 31 18:44

    bors[bot] on staging.tmp

    [ci skip][skip ci][skip netlify] (compare)

  • Jul 31 18:43
    kpp commented #418
  • Jul 31 16:58
    klittlepage commented #418
  • Jul 31 16:54
    coveralls commented #418
  • Jul 31 16:45
    coveralls commented #418
  • Jul 31 16:20
    klittlepage synchronize #418
dnaq
@dnaq
@kpp you forgot to bump the dependency on libsodium-sys to 0.2.5, (in the Cargo.toml of sodiumoxide)
can you merge as soon as possible so I can publish the release?
I think I'll add a release preparing script later on to automate the version number bumping for the future
Roman Proskuryakov
@kpp
@dnaq merged
dnaq
@dnaq
Great. I’ll publish within the hour
dnaq
@dnaq
Done
Roman Proskuryakov
@kpp
THanks
dnaq
@dnaq
Thank you for preparing the release
Dylan DPC
@Dylan-DPC
@kpp I don't think it's a good idea to post a vulnerability there esp on Reddit. It's better to go through rustsec channels
Note I don't check gitter often so replies might be delayed. Faster to contact me on discord/zulip
dnaq
@dnaq
Do we have zulip channel?
If so, could we close down the Gitter and switch to it?
Roman Proskuryakov
@kpp
@Dylan-DPC what is a rustsec channel?
Dylan DPC
@Dylan-DPC
@dnaq nope but I can create a seperate server on zulip or discord if needed
@kpp rust safe code guidelines working group
Oops
I mean rust
Rust
Damn sorry 😅
Rust wg-secure-code (the ones who published the advisory)
dnaq
@dnaq
@Dylan-DPC I think it was @kpp who actually contacted rustsec, and the reddit post was made after the rustsec advisory had been released, so I think this was a good way to make the issue get more attention
I'll be glad to switch to zulip, I'm not a big fan of gitter to be honest
Dylan DPC
@Dylan-DPC
@dnaq yeah I didn't know about it but realised after I pinged rustsec about it :D
Anyway, so our next step is to yank all affected releases, as long as a there is a semver compatible unaffected version. We already released 0.2.5 which is good, but I don't think we need to have for 0.1.x since we don't support 0.1 any more. thoughts?
Roman Proskuryakov
@kpp
Well... maybe
Dylan DPC
@Dylan-DPC
Maybe what?
Roman Proskuryakov
@kpp
maybe we should yank all affected releases
Dylan DPC
@Dylan-DPC
@kpp as per the wg-secure group, they recommend that we should yank all affected releases
Roman Proskuryakov
@kpp
OK
@dnaq ?
Dylan DPC
@Dylan-DPC
I have some time right now so thinking of yanking it
ah nvm i'm not an owner :smirk:
dnaq
@dnaq
Which releases should I yank. Should be from when generichash first showed up to the current version
Dylan DPC
@Dylan-DPC

the advisory says that:

Affected versions: >= 0.1.0 and <= 0.2.4.

so i'd say those but i'm not sure if 0.1.* are affected or not

dnaq
@dnaq
According to the change log it was introduced in 0.2.0
Roman Proskuryakov
@kpp
Yep, I was wrong in the advisory
dnaq
@dnaq
I yanked 0.2.0-0.2.4
Could anyone go through all commits from the same person who committed generichash and see that we don’t have any other issues?
Dylan DPC
@Dylan-DPC
@dnaq ah thanks for yanking :)
Roman Proskuryakov
@kpp
Does anyone want to review sodiumoxide/sodiumoxide#351
dnaq
@dnaq
I won’t have any free time at all for a while. Can I add you as a crate owner?
Roman Proskuryakov
@kpp
@Dylan-DPC ?
noproto
@noproto
I really like the hex support that landed in master on Nov 2019, any word on when we'll see a sodiumoxide release with it?
Roman Proskuryakov
@kpp
@noproto did you try it in your project?
noproto
@noproto
@kpp I haven't yet, just glanced over the code
Roman Proskuryakov
@kpp
Would you please try master branch?
We will land a new release after it
Mitchell Tannenbaum
@naturallymitchell
Come use The Speakeasy Solution Stack Rust engine: Torchbear for fast, safe, simple, and complete(R) scripting
naturallymitchell/announcements#1