A person who donated to the Foundation made a small wish list known. Allow me to relay it:

* RSA Digital Signature Validation in Phobos
* std.decimal in Phobos
* better dll support for Windows.


Andrei

On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:

> * better dll support for Windows.

This one is on a lot of wish lists.

On 24/10/2017 2:25 PM, Mike Parker wrote:
> On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:
> 
>> * better dll support for Windows.
> 
> This one is on a lot of wish lists.

It definitely needs to be a target for 2018H1, I'll be making sure its added! Too big a blocker and comes up a little too often...

On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:
> A person who donated to the Foundation made a small wish list known. Allow me to relay it:
>
> * RSA Digital Signature Validation in Phobos
> * std.decimal in Phobos
> * better dll support for Windows.
>
>
> Andrei

First two are in my wish list too!

On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:
> * RSA Digital Signature Validation in Phobos

https://issues.dlang.org/show_bug.cgi?id=16510 the blocker for botan was OMF support.

On Tue, Oct 24, 2017 at 09:20:10AM -0400, Andrei Alexandrescu via Digitalmars-d wrote:
> A person who donated to the Foundation made a small wish list known. Allow me to relay it:
> 
> * RSA Digital Signature Validation in Phobos
[...]

This is going to be a tricky one.  I'm very wary of implementing cryptographic algorithms without a crypto expert on board.  It's just far too easy to get a tiny detail wrong, and open up a gaping security hole as a result.  Even though we're not talking about encryption per se, all it takes is for a bug to wrongly validate an invalid signature and we have a problem.  And even if there are no bugs, there may be (probably many) inadvertent side-channel attacks opened up if whoever writes the code is unaware of them.

The other alternative is to wrap around a reputable crypto library like openssl, but that would mean even more external dependencies of Phobos. And we all know how well that went with libcurl, zlib, etc.: people constantly complain about why this doesn't work and why that breaks.  If we build Phobos with an external dependency on openssl, say, that means the installer must make sure it finds the right DLL/.so paths, configure the compiler accordingly, deal with possibly multiple incompatible local versions of the same library on the user's system, etc..  But if we ship openssl with Phobos to avoid this problem, then we have another problem: needing to push out a high-priority security fixes if an exploit is published, etc., which currently we simply don't have the infrastructure to deal with.   Neither alternative sounds appealing to me.

(Having said all that, though, D is probably a far better language for implementing crypto algorithms -- built-in bounds checking would have prevented some of the worst security holes that have come to light recently, like Heartbleed and Cloudbleed.  Still, I wouldn't feel confident about a crypto library written in D unless it was reviewed by someone with crypto expertise. Or preferably, *multiple* crypto experts. It's just far, far too easy to get it wrong, with disastrous consequences.)


T

-- 
A program should be written to model the concepts of the task it performs rather than the physical world or a process because this maximizes the potential for it to be applied to tasks that are conceptually similar and, more important, to tasks that have not yet been conceived. -- Michael B. Allen

On 10/24/2017 09:37 AM, H. S. Teoh wrote:
> On Tue, Oct 24, 2017 at 09:20:10AM -0400, Andrei Alexandrescu via Digitalmars-d wrote:
>> A person who donated to the Foundation made a small wish list known.
>> Allow me to relay it:
>>
>> * RSA Digital Signature Validation in Phobos
> [...]
>
> This is going to be a tricky one.  I'm very wary of implementing
> cryptographic algorithms without a crypto expert on board.

deadalnix (Amaury Séchet) is in that field:

  http://dconf.org/2017/talks/sechet.html

Ali

On Tuesday, 24 October 2017 at 17:31:06 UTC, Ali Çehreli wrote:
> On 10/24/2017 09:37 AM, H. S. Teoh wrote:
> > On Tue, Oct 24, 2017 at 09:20:10AM -0400, Andrei Alexandrescu
> via Digitalmars-d wrote:
> >> A person who donated to the Foundation made a small wish
> list known.
> >> Allow me to relay it:
> >>
> >> * RSA Digital Signature Validation in Phobos
> > [...]
> >
> > This is going to be a tricky one.  I'm very wary of
> implementing
> > cryptographic algorithms without a crypto expert on board.
>
> deadalnix (Amaury Séchet) is in that field:
>
>   http://dconf.org/2017/talks/sechet.html
>
> Ali

He's a little busy right now: ;)

http://cryptotimes.org/alt-coin/amaury-sechet-discusses-the-values-of-bitcoin-abc-development/

On 10/24/17 07:14, Kagamin wrote:
> On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:
>> * RSA Digital Signature Validation in Phobos
>
> https://issues.dlang.org/show_bug.cgi?id=16510 the blocker for botan was
> OMF support.

IMO, the correct solution here is to deprecate OMF and use the System linker for 32-bit on Windows as that is already the default behavior on 64-bit Windows

So instead of -m32 and -m32mscoff, we would have -m32 and -m32omf. I think that this is a reasonable tradeoff. We could leave -m32mscoff in for a while, for backwards compat.

-- 
Adam Wilson
IRC: LightBender
import quiet.dlang.dev;

On Tuesday, 24 October 2017 at 20:27:26 UTC, Adam Wilson wrote:
> On 10/24/17 07:14, Kagamin wrote:
>> On Tuesday, 24 October 2017 at 13:20:10 UTC, Andrei Alexandrescu wrote:
>>> * RSA Digital Signature Validation in Phobos
>>
>> https://issues.dlang.org/show_bug.cgi?id=16510 the blocker for botan was
>> OMF support.
>
> IMO, the correct solution here is to deprecate OMF and use the System linker for 32-bit on Windows as that is already the default behavior on 64-bit Windows
>
> So instead of -m32 and -m32mscoff, we would have -m32 and -m32omf. I think that this is a reasonable tradeoff. We could leave -m32mscoff in for a while, for backwards compat.

In general I agree with you that coff is the way to go. I just dislike the consequences. Today you just download the dmd Windows zip, extract it and you have a running compiler. Nice, self contained and a good advertisement for D. On the other side if the user is forced to install Visual Studio / C++ build pack, this might distract first time D users...

If the Microsoft linker could be added to dmd that would be the best solution. Just dreaming :)

Kind regards
Andre