Arnaud Quette
2012-Oct-12 22:55 UTC
[Nut-upsdev] NSS support in trunk (was: NSS branch pull request)
2012/10/12 Emilien Kia <kiae.dev at gmail.com>> Hi guys, >Hi Emilien and the list, This is a pull request to finally merge NSS feature in nut trunk:> https://github.com/clepple/nut/pull/3 >I'd like to take a moment to shed some more light on this important development, which lasted 3 years: - the initial request<http://lists.alioth.debian.org/pipermail/nut-upsdev/2009-September/004023.html>to support Mozilla NSS (Network Security Services) was made by Michal Hlavinka (from Redhat) in September 2009. at that time, Redhat was pushing an effort to consolidate cryptographic services <http://fedoraproject.org/wiki/FedoraCryptoConsolidation> in Fedora. The same was true on the side of Suse / Novell (Stanislav Brabec). - as a Debian developer, I was very interested in the topic: for legal reasons, NUT can't be linked with OpenSSL without exiting from the 'main' Debian repository. since NSS is distributed under 3 licenses, including GPL, it will fix the missing crypto in Debian (and derivatives) NUT packages! - as a NUT dev, I made a preliminary audit a few months later: Alioth Task #456<https://alioth.debian.org/pm/task.php?func=detailtask&project_task_id=456&group_id=30602&group_project_id=315>(SSL support using Mozilla NSS). but lacking time on my side, another person was needed to work on it. - this happened through the Eaton sponsorship, half a year later: Emilien, a very knowledgeable and skilled in IT security and software development (perfect profile for this task), started to work on the topic. - actual development happened over 2 months (dec. 2010-jan. 2011), executed perfectly as planned. it successfully passed tests, and only received very few adjustments later. - some merge preparations were attempted over the past year. but the actual merge never happened, for various reasons. - Emilien devoted a lot of energy and personal time, over the past week, to get the merge approval. so thanks a lot, and kudos Emilien! you did it ;) - thus my review was easier and quicker. it resulted in my approval, with a tiny (but not minor) adjustment. namely, libupsclient version information was not bumped (my fault!). however, some improvements are already planned and will be tracked soon on Alioth. - Fr?d?ric Boh? (from Eaton) also deserve his bunch of thanks, for having executed the NSS tests... several times over the past couple of years. so thanks a lot Fred. Wookiee power! - the final thanks goes to Charles Lepple, who counter approved the github pull request, and handled the final merge to the official development tree, a few hours ago:> http://trac.networkupstools.org/projects/nut/changeset/3751 > > Add Network Security Services (NSS) support > > Author: Emilien Kia <kiae.dev at gmail.com> > > Based on SVN: branches/ssl-nss-port > > Closes pull request #3: https://github.com/clepple/nut/pull/3 > > Additional commits by Arnaud Quette and Arjen de Korte.- the compilation is successful on our Buildbots<http://buildbot.networkupstools.org/public/nut/builders>, except on Aix (not available, offline) and Windows (not applicable). - Emilien and I will work on completing the QA regression test script for NUT<http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-nut.py>for NSS. for the time being, all the (few) current tests pass on the new trunk:> test_CVE_2012_2944 (__main__.BasicTest) > Test CVE-2012-2944 ... ok > test_daemons_pid (__main__.BasicTest) > Test daemons using PID files ... ok > test_daemons_service (__main__.BasicTest) > Test daemons using "service status" ... ok > test_upsc_device_list (__main__.BasicTest) > Test NUT client interface (upsc): device(s) listing ... ok > test_upsd_IPv4 (__main__.BasicTest) > Test upsd IPv4 reachability ... ok > test_upsd_IPv6 (__main__.BasicTest) > Test upsd IPv6 reachability ... ok > test_upsmon_notif (__main__.BasicTest) > Test upsmon notifications ... ok > test_upsmon_shutdown (__main__.BasicTest) > Test upsmon basic shutdown (single UPS, low battery status) ... ok > test_upsrw (__main__.BasicTest) > Test upsrw ... ok...> The DVT have been successfully passed by Fred Bohe (Eaton). >for those interested in, this tests validation report is available here<http://www.networkupstools.org/tmp/NUT-NSS_Mini_DVT_exec10Oct2012-FBohe.pdf> . the current plan is still to release NSS support with 2.8.0. I will discuss, in a separate thread on -upsusers, the progress status of the 2.8.0. in the meantime, a snapshot<http://www.networkupstools.org/source/2.8/nut-trunk-r3751.tar.gz>is available for testing. you will need to have NSS development files, to use "configure --with-nss". refer to docs/security.txt, ? "NSS backend usage" for configuration instructions. I will post a blog entry with more details. it's sometime a long road to reach the target. thanks again to Emilien, Fred and Charles. and to Eaton for this sponsorship. cheers, Arnaud -- Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org Debian Developer - http://www.debian.org Free Software Developer - http://arnaud.quette.fr -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20121013/1d078aa7/attachment.html>
Charles Lepple
2012-Oct-15 12:54 UTC
[Nut-upsdev] NSS support in trunk (was: NSS branch pull request)
On Oct 12, 2012, at 6:55 PM, Arnaud Quette wrote:> - the compilation is successful on our Buildbots, except on Aix (not available, offline) and Windows (not applicable).Update: the AIX buildbot has uncovered a corner case in our handling of the SSL auto-detection in ./configure. From docs/configure.txt:> --with-ssl (default: auto-detect) > --with-nss (default: auto-detect) > --with-openssl (default: auto-detect) > > Enable SSL support, using either Mozilla NSS or OpenSSL. > If both are present, and nothing was specified, OpenSSL support will > be prefered. Read docs/security.txt for instructions on SSL support.My understanding is that in the absence of "--with-ssl=yes", the auto-detect should fall back to no SSL support. The configure script isn't finding either OpenSSL or Mozilla NSS, and it is failing: http://buildbot.networkupstools.org/public/nut/builders/AIX-powerpc/builds/206/steps/configure/logs/stdio (We do explicitly pass "--with-ssl=auto" to configure when "make distcheck-light" calls it a second time, but the configure step needs to successfully complete first.) -- Charles Lepple clepple at gmail
Michal Hlavinka
2012-Oct-18 12:43 UTC
[Nut-upsdev] NSS support in trunk (was: NSS branch pull request)
That's great! Big thanks to everyone who participated here On 10/13/2012 12:55 AM, Arnaud Quette wrote:> > 2012/10/12 Emilien Kia <kiae.dev at gmail.com <mailto:kiae.dev at gmail.com>> > > Hi guys, > > > Hi Emilien and the list, > > This is a pull request to finally merge NSS feature in nut trunk: > https://github.com/clepple/nut/pull/3 > > > I'd like to take a moment to shed some more light on this important > development, which lasted 3 years: > > - the initial request > <http://lists.alioth.debian.org/pipermail/nut-upsdev/2009-September/004023.html> > to support Mozilla NSS (Network Security Services) was made by Michal > Hlavinka (from Redhat) in September 2009. > at that time, Redhat was pushing an effort to consolidate cryptographic > services <http://fedoraproject.org/wiki/FedoraCryptoConsolidation> in > Fedora. > The same was true on the side of Suse / Novell (Stanislav Brabec). > > - as a Debian developer, I was very interested in the topic: > for legal reasons, NUT can't be linked with OpenSSL without exiting from > the 'main' Debian repository. > since NSS is distributed under 3 licenses, including GPL, it will fix > the missing crypto in Debian (and derivatives) NUT packages! > > - as a NUT dev, I made a preliminary audit a few months later: Alioth > Task #456 > <https://alioth.debian.org/pm/task.php?func=detailtask&project_task_id=456&group_id=30602&group_project_id=315> > (SSL support using Mozilla NSS). > but lacking time on my side, another person was needed to work on it. > > - this happened through the Eaton sponsorship, half a year later: > Emilien, a very knowledgeable and skilled in IT security and software > development (perfect profile for this task), started to work on the topic. > > - actual development happened over 2 months (dec. 2010-jan. 2011), > executed perfectly as planned. > it successfully passed tests, and only received very few adjustments later. > > - some merge preparations were attempted over the past year. but the > actual merge never happened, for various reasons. > > - Emilien devoted a lot of energy and personal time, over the past week, > to get the merge approval. > so thanks a lot, and kudos Emilien! you did it ;) > > - thus my review was easier and quicker. it resulted in my approval, > with a tiny (but not minor) adjustment. > namely, libupsclient version information was not bumped (my fault!). > however, some improvements are already planned and will be tracked soon > on Alioth. > > - Fr?d?ric Boh? (from Eaton) also deserve his bunch of thanks, for > having executed the NSS tests... several times over the past couple of > years. so thanks a lot Fred. Wookiee power! > > - the final thanks goes to Charles Lepple, who counter approved the > github pull request, and handled the final merge to the official > development tree, a few hours ago: > > > http://trac.networkupstools.org/projects/nut/changeset/3751 > > > > Add Network Security Services (NSS) support > > > > Author: Emilien Kia <kiae.dev at gmail.com <mailto:kiae.dev at gmail.com>> > > > > Based on SVN: branches/ssl-nss-port > > > > Closes pull request #3: https://github.com/clepple/nut/pull/3 > > > > Additional commits by Arnaud Quette and Arjen de Korte. > > - the compilation is successful on our Buildbots > <http://buildbot.networkupstools.org/public/nut/builders>, except on Aix > (not available, offline) and Windows (not applicable). > > - Emilien and I will work on completing the QA regression test script > for NUT > <http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/scripts/test-nut.py> > for NSS. > for the time being, all the (few) current tests pass on the new trunk: > > > test_CVE_2012_2944 (__main__.BasicTest) > > Test CVE-2012-2944 ... ok > > test_daemons_pid (__main__.BasicTest) > > Test daemons using PID files ... ok > > test_daemons_service (__main__.BasicTest) > > Test daemons using "service status" ... ok > > test_upsc_device_list (__main__.BasicTest) > > Test NUT client interface (upsc): device(s) listing ... ok > > test_upsd_IPv4 (__main__.BasicTest) > > Test upsd IPv4 reachability ... ok > > test_upsd_IPv6 (__main__.BasicTest) > > Test upsd IPv6 reachability ... ok > > test_upsmon_notif (__main__.BasicTest) > > Test upsmon notifications ... ok > > test_upsmon_shutdown (__main__.BasicTest) > > Test upsmon basic shutdown (single UPS, low battery status) ... ok > > test_upsrw (__main__.BasicTest) > > Test upsrw ... ok > > ... > The DVT have been successfully passed by Fred Bohe (Eaton). > > > for those interested in, this tests validation report is available here > <http://www.networkupstools.org/tmp/NUT-NSS_Mini_DVT_exec10Oct2012-FBohe.pdf>. > > the current plan is still to release NSS support with 2.8.0. > I will discuss, in a separate thread on -upsusers, the progress status > of the 2.8.0. > > in the meantime, a snapshot > <http://www.networkupstools.org/source/2.8/nut-trunk-r3751.tar.gz> is > available for testing. > you will need to have NSS development files, to use "configure --with-nss". > refer to docs/security.txt, ? "NSS backend usage" for configuration > instructions. > I will post a blog entry with more details. > > it's sometime a long road to reach the target. > thanks again to Emilien, Fred and Charles. > and to Eaton for this sponsorship. > > cheers, > Arnaud > -- > Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org > Debian Developer - http://www.debian.org > Free Software Developer - http://arnaud.quette.fr >