So, I'm Wondering...

All flavors welcome.
Forum rules
Be kind.
User avatar
richmond62
Posts: 2617
Joined: Sun Sep 12, 2021 11:03 am
Location: Bulgaria
Contact:

Re: So, I'm Wondering...

Post by richmond62 »

These are FOSS libraries that were available from LC's servers but are now behind a Password wall.
That makes the LC people look even worse than they already do: IF those libraries are FOSS they should be freely available.
https://richmondmathewson.owlstown.net/
User avatar
richmond62
Posts: 2617
Joined: Sun Sep 12, 2021 11:03 am
Location: Bulgaria
Contact:

Re: So, I'm Wondering...

Post by richmond62 »

I don't think the folks at LC would track Community users without consent
No, I don't think so either, so long as you remember to "skip this step" every time an LC Community
installer invites you to go skipping. 8-)
-
Go, Kev, Go!
Go, Kev, Go!
skipping.png (101.07 KiB) Viewed 1457 times
https://richmondmathewson.owlstown.net/
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

richmond62 wrote: Wed Jun 29, 2022 9:43 am
These are FOSS libraries that were available from LC's servers but are now behind a Password wall.
That makes the LC people look even worse than they already do: IF those libraries are FOSS they should be freely available.
In their defense I never bothered to ask them for the libs because I still haven't quite gotten around to seriously trying to compile the engines from source yet. Depending on the license of those libs (probably very liberal, MIT license or whatever) they may not be obligated to provide them anyway. I mean the source code is out there so you could compile those yourself (which I'm sure amounts to more difficulties, probably requireing old versions of GCC and such). Providing the source or a link to the source may be the only real obligation involved.

But yeah, putting those behind PW wall does come off as another 'dick move', IMO.

Fortunately a (well known but I probably shouldn't 'out' them) community member has helped us out there.
I now have those prebuilt binaries if anyone needs them.
Here is a file list of those binaries:
Thirdparty-e5e050573c226f60acfbb9107c2b4aea853b0cbe-linux-x86_64-PIC.tar.bz2
CEF-74.1.19-linux-x86_64-gb62bacf.tar.bz2
icu4c-69_1-Ubuntu-20.04-x64.tgz
openssl-3.0.0.tar.gz
openssl-1.1.1l.tar.gz
ICU-58.2-All-Universal-Data-1-PIC.tar.bz2
curl-7.79.1.tar.bz2
ICU-58.2-linux-x86_64-1-PIC.tar.bz2
OpenSSL-1.1.1g-linux-x86_64-PIC.tar.bz2
ICU-58.2-All-Universal-Headers-1-PIC.tar.bz2
OpenSSL-1.1.1g-All-Universal-Headers-PIC.tar.bz2
Curl-7.51.0-linux-x86_64-PIC.tar.bz2
axwald
Posts: 10
Joined: Mon Sep 27, 2021 1:14 pm
Location: Sol/ Terra/ Europe/ Bavaria
Contact:

Re: So, I'm Wondering...

Post by axwald »

Hi,

Just as I see this, and was asked about it a while ago:

As far as I can determine, the latest Community version (9.6.3) uses OpenSSL 1.1.1g in "revsecurity.dll" (for Win64 at least). That is from 21. April 2020. Current is OpenSSL 1.1.1o. Means, the 9.6.3 has some quite serious vulnerabilities.

Anybody ever thought of doing something about this? The situation regarding Curl/ CEF might not be better.

Back to lurking, have fun!
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

axwald wrote: Thu Jun 30, 2022 9:00 am Hi,

Just as I see this, and was asked about it a while ago:

As far as I can determine, the latest Community version (9.6.3) uses OpenSSL 1.1.1g in "revsecurity.dll" (for Win64 at least). That is from 21. April 2020. Current is OpenSSL 1.1.1o. Means, the 9.6.3 has some quite serious vulnerabilities.

Anybody ever thought of doing something about this? The situation regarding Curl/ CEF might not be better.

Back to lurking, have fun!
I will certainly be going for updates, and possibly modifications (CEF startup flags) when I compile, but for any mission critical network transfers things, security-wise I would not use OXT 1.963.1 nor LCC 9.6.3 (and I'm skeptical about others too)... or if I really needed to I would use shell() / 'open process' to control CLI version of CURL (which could also allow for async transfers in libURL if we modded it). Another option, and perhaps the best option but most also likely the most difficult and time consuming, is some people wrap those libraries in Extension Builder, then when there's an update to Curl, OpenSSL, etc. you just drop in the new binaries (.dlls,.so,.dynlib) and maybe update a few lines in your wrapper and you're up to date!

Has anyone tried dropping different updated binaries into the IDE replacing the CEF build that is included? I mean IIRC the file names look pretty standard (having played around with it a bit with things like an add-on wrapper for Chromium on KODI).
foxtrot47
Posts: 16
Joined: Tue Nov 22, 2022 2:17 pm
Contact:

Re: So, I'm Wondering...

Post by foxtrot47 »

OpenXTalkPaul wrote: Wed Jun 29, 2022 11:41 pm I now have those prebuilt binaries if anyone needs them.
Here is a file list of those binaries:
Thirdparty-e5e050573c226f60acfbb9107c2b4aea853b0cbe-linux-x86_64-PIC.tar.bz2
CEF-74.1.19-linux-x86_64-gb62bacf.tar.bz2
icu4c-69_1-Ubuntu-20.04-x64.tgz
openssl-3.0.0.tar.gz
openssl-1.1.1l.tar.gz
ICU-58.2-All-Universal-Data-1-PIC.tar.bz2
curl-7.79.1.tar.bz2
ICU-58.2-linux-x86_64-1-PIC.tar.bz2
OpenSSL-1.1.1g-linux-x86_64-PIC.tar.bz2
ICU-58.2-All-Universal-Headers-1-PIC.tar.bz2
OpenSSL-1.1.1g-All-Universal-Headers-PIC.tar.bz2
Curl-7.51.0-linux-x86_64-PIC.tar.bz2
Howdy! I'm having trouble locating where you've posted the prebuilt binaries for download. That being said, these binaries are a few years old by now. Wouldn't each of these binaries also need to be updated/patched/compiled on a regular basis? I'm very much learning on the fly, so please excuse what might be a very obvious, "yes".

Even if it does, I'd still like to see if I can successfully compile the XOT Linux engine, and I'd much appreciate a copy of those prebuilt binaries. Please feel free to PM me if you prefer that distribution method instead.

Thank you! :)
mdm
Posts: 22
Joined: Thu Sep 16, 2021 2:15 pm
Contact:

Re: So, I'm Wondering...

Post by mdm »

I'm having trouble locating where you've posted the prebuilt binaries for download.
To my knowledge, they have never been posted somewhere.

You should best PM Paul if you want to get them as he might be in family or business off-time again and might overlook your request here (3 days old now).
Wouldn't each of these binaries also need to be updated/patched/compiled on a regular basis?
Of course.

A useful re-compilation effort would still start with using all the stuff exactly as it is (old versions) and try to see if it can produce a an OXT engine that is totally interchangeable with and hopefully even binary identical to the LCC 9.6.3 engine.
Only after this it would start tinkering (exchanging LC strings in the engine code, binding new libraries, using new build tools, extending functionality) and building improved versions in each step.

This clean-sheet approach is important to track down error regressions etc.

Keep us posted how it goes. Thanks!
mdm
Posts: 22
Joined: Thu Sep 16, 2021 2:15 pm
Contact:

Re: So, I'm Wondering...

Post by mdm »

foxtrot47 wrote: Sat Nov 25, 2023 5:47 am I'd still like to see if I can successfully compile the XOT Linux engine
See above, I forgot to mention that you should have a look at

https://www.openxtalk.org/forum/viewtop ... f=14&t=390

and maybe PM mwieder here if you run into problems compiling for Linux because he has obviously done it before.
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

mdm wrote: Sat Nov 25, 2023 12:15 pm
foxtrot47 wrote: Sat Nov 25, 2023 5:47 am I'd still like to see if I can successfully compile the XOT Linux engine
See above, I forgot to mention that you should have a look at

https://www.openxtalk.org/forum/viewtop ... f=14&t=390

and maybe PM mwieder here if you run into problems compiling for Linux because he has obviously done it before.
Mark is the person I got the pre-built binaries from. I thought I had put them online somewhere for anyone interested... I'll have to get back to you on that... but IIRC Mark did say he did some work on updating some these dependencies this past summer.

I just want to point out that on macOS the Engine should be using the macOS included versions of some of these binaries (like OpenSSL for example) and the Browser Widget uses macOS WebKit (Safari), so I believe these are needed for Win/Linux (CEF) but not macOS.
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

axwald wrote: Thu Jun 30, 2022 9:00 am Hi,

Just as I see this, and was asked about it a while ago:

As far as I can determine, the latest Community version (9.6.3) uses OpenSSL 1.1.1g in "revsecurity.dll" (for Win64 at least). That is from 21. April 2020. Current is OpenSSL 1.1.1o. Means, the 9.6.3 has some quite serious vulnerabilities.

Anybody ever thought of doing something about this? The situation regarding Curl/ CEF might not be better.

Back to lurking, have fun!
I have thought about... like 'hmmm...we should try to do something about that"... but then I think 'I have never used this engine for any mission critical-security use-case, and if I did have that need then it would probably be smart to subscribe to LiveCode Ltd's App-building-as-service. But the only thing I'm transferring using OXT is some tab-separated values, and some base64 encoded Extensions, and a remote copy of the Emscripten Engine.

I would think that an external built around OpenSSL would first look for the OpenSSL library in it's $PATH directories first, where it should find the latest version of OpenSSL installed by the OS or Package Manager, rather than embedding the library binary into itself.

What does revSecurity external actually use OpenSSL for? Is it only used by the revURL lib, revGoURL for https:// ?
For the sort of tasks that it is used for, would it be better to make a new lib that can call the shell process to give commands/monitor a shell command like CURL directly? Then the admin of the machine is responsible for keeping that stuff up to date with security patches. We could then use that as a replacement for that External or add features (like tsNet that revURL uses in LC's commercial products). I have looked at OpenSSL & CURL and there would be a LOT in those libraries that would need to have correct binding strings created for each symbol (named code/handlers) that we may need to use. ChatGPT could probably help there.

I would think that Chromium Framework would likewise prioritize system versions of libraries that it (and therefore the Browser Widget) depends on for Windows and Linux.
That is how it works on macOS Engine since the switch from the older 'revBrowser' External to the 'Browser Widget' (prior to that the macOS version of revBrowser also used CEF Framework).

Also like I said, from what I understand Mark Wielder did update dependencies and built the Linux Engine from source. If he could post the binaries he built somewhere that would be great.
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

That reminds me the xTalk community member named Mark Smith (the one that died in 2012) open-source released a libRevCURL script library back when (along with a bunch of other nice work he did)
https://forums.livecode.com/viewtopic.php?t=1969
User avatar
tperry2x
Posts: 1335
Joined: Tue Dec 21, 2021 9:10 pm
Location: Britain (Previously known as Great Britain)
Contact:

Re: So, I'm Wondering...

Post by tperry2x »

Unfortunately, the download URL listed on the LC forum no longer works (the domain no longer exists)
axwald
Posts: 10
Joined: Mon Sep 27, 2021 1:14 pm
Location: Sol/ Terra/ Europe/ Bavaria
Contact:

Re: So, I'm Wondering...

Post by axwald »

Hi,
OpenXTalkPaul wrote: Fri Dec 01, 2023 12:28 am [..] Mark Smith (the one that died in 2012) open-source released a libRevCURL script library [...]
https://forums.livecode.com/viewtopic.php?t=1969
The link in the thread doesn't work anymore. This one still does:
> https://marksmith.on-rev.com/revstuff/
and it's in web.archive.org, too. Priceless stuff!

Have fun!
User avatar
tperry2x
Posts: 1335
Joined: Tue Dec 21, 2021 9:10 pm
Location: Britain (Previously known as Great Britain)
Contact:

Re: So, I'm Wondering...

Post by tperry2x »

axwald wrote: Fri Dec 01, 2023 8:02 am The link in the thread doesn't work anymore. This one still does:
> https://marksmith.on-rev.com/revstuff/
and it's in web.archive.org, too. Priceless stuff!
Unfortunately libID3, IPtoCountry, AudioFileInfo and libRevFreeDB download links on that page are all broken. I've downloaded a copy of everything else though. Thank you.
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

tperry2x wrote: Fri Dec 01, 2023 8:21 am
axwald wrote: Fri Dec 01, 2023 8:02 am The link in the thread doesn't work anymore. This one still does:
> https://marksmith.on-rev.com/revstuff/
and it's in web.archive.org, too. Priceless stuff!
Unfortunately libID3, IPtoCountry, AudioFileInfo and libRevFreeDB download links on that page are all broken. I've downloaded a copy of everything else though. Thank you.
For Mark's excellent ID3 lib (that is pure script, no dependencies), I recommend grabbing the version in my repo ('1.4b') as I updated that library a bit a few years back. It still has a few broken handlers (like writing Album Cover Art back into the mp3 file), but it at least should be more Unicode safe. I also added two handlers that can 'brute force' extract GIF or JPEG images that have been embedded into ANY file, this is because Marks handler fails to read some embedded album cover art due to unknown reason (which I did NOT thoroughly inverstigate). In that repo is also the beginnings of my own, original library that goes slightly further in that it attempts to parse info about the actual MPEG Frames that make up an mp3, stuff like sample rate, bitrate, VBR or CBR, etc.
Here:
https://github.com/PaulMcClernan/id3lib
There is also a repo that has backup copies of Mark's work:
https://github.com/PaulMcClernan/mark-smith-libraries
User avatar
OpenXTalkPaul
Posts: 1485
Joined: Sat Sep 11, 2021 4:19 pm
Contact:

Re: So, I'm Wondering...

Post by OpenXTalkPaul »

BTW, since revURL came up, for OXT DPE when I did some debranding in that library, while I was in there I was looking to see how it can use tsNnet (or anything else, like HTML5 APIs for Emscripten engine) as a back-end, ...
AND just for fun I also added simple support for the 'tel:' protocol URL, so if you use OXT DPE and have installed IP telephony app that supports it (such as FaceTime on macOS) you can 'dial' the phone from the message box: launch URL "tel:(856) 123-4567" and it will launch the phone app. Maybe that should be wired up to re-enable the old HyperTalk 'Dial' command (which currently is not even a nonfunctional 'stub' compatibility keyword). 'Dial' is the command handler name I used in the OXT Start stack's networking demo/info card.
Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests