Hello
Here is the latest Caml Weekly News, for the week of May 21 to 28, 2013.
Archive: https://sympa.inria.fr/sympa/arc/caml-list/2013-05/msg00146.html
David Mentré said:For those reading French, ANSSI (French agency for information security) published a study on security and functional languages, with a set of recommendations. OCaml is apparently well studied: http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/lafosec-securite-et-langages-fonctionnels.html """ Cette étude, menée par un consortium composé de Saferiver, Normation, AMOSSYS et du CEDRIC dans le cadre formel d’un marché du SGDSN, avait pour objectif principal d’étudier l’adéquation des langages fonctionnels pour le développement d’applications de sécurité, de proposer le cas échéant des recommandations, et de mettre en pratique certaines de ces recommandations. """Fabrice Le Fessant said:
Some comments on this topic: - LaFoSec is the second study funded by ANSSI (it was done by a consortium of experts, among which many security experts and one of the main developers of OCaml, so I would not take their recommendations lightly, personally), the first one is JavaSec ( http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/securite-et-langage-java.html), so there is indeed a comparison between OCaml, other functional languages, and imperative languages, showing that there are many more security problems with Java than with OCaml. - LaFoSec was started in 2010, which explains why it focuses on OCaml 3.12. - If some observations seem obvious (for smart people that you are ;-) ), a lot of them are much less obvious (the fact for example that you can discover a secrete key using polymorphic comparisons without breaking the type system). Also, they give an interesting set of arguments for pushing OCaml instead of other programming languages, so for me, they are really going in the good direction, it's a very good thing for the OCaml community. - There is a document that was also written, but has not been published (it was described at the last JFLA'2013 seminar, also in French), providing a set of recommendations to improve OCaml for security applications. I don't know why it was not published with the other ones, maybe because it would become obsolete faster than the other ones.Olivier Levillain also said:
For information, some of the results have been presented last February during the JFLA (Journées francophones des langages applicatifs). The slides presented are available on the conference web site (http://jfla.inria.fr/2013/programme.html).Anil Madhavapeddy said and Olivier Levillain replied:
> I was very glad to see the release of the Parsifal code onto Github too: > https://github.com/ANSSI-FR/parsifal > > It looks like you have done a lot of the work required towards building > a pure OCaml SSL and Kerberos stack, as well as DNS and SSH parsers in > there too. We were just discussing the lack of a pure OCaml SSL library > for MirageOS (which already has a full reimplementation of device drivers > and TCP/IP and HTTP, and is just missing the final SSL piece). I'm glad to see you are interested in Parsifal. It was recently published on GitHub and will be presented as a short paper at SSTIC 2013 (https://www.sstic.org/2013, not to be confused with SSTiC 2013). However, this is still a project in development and I must warn you it was first written to allow for writing quick and robust *parsers*. That is why for the moment, the code essentially consists in the description of some formats and protocols. We are beginning to work on animating the protocols, but this will need a lot of work to get done properly. Concerning the protocols you cite, here is the status : - nearly all SSL/TLS messages and X.509 certificates are supported and some test tools already exist (but only for the first handshake round-trip); - Kerberos as you see it in the repository is at a very early stage but more commits are coming once I have time to review them; - DNS is working and I wrote a picodig version to make some requests (but this one was easy: there is no real context in the protocol); - We have not yet worked on SSH but it would be a good idea.
Archive: https://sympa.inria.fr/sympa/arc/caml-list/2013-05/msg00190.html
Ivan Gotovchits asked and Gabriel Scherer replied:> It seems that I'm the only person in the Internet having such problem. > > I do > $ opam install batteries > $ find -name 'pa_string*' > > Nothing is found. > > Batteries says nothing bad when installing everything seems work ok, > except that no pa_ modules are installed. Though batteries.cma and > batteriesThread.cma are installed... Due to maintainance problems and lack of apparent interest among users, Batteries 2.0 release got rid of its syntax extensions. See the announcement here: https://lists.forge.ocamlcore.org/pipermail/batteries-devel/2012-November/001762.html If you care about any of the syntax extensions that were present, I recommend that you package them separately. Max Mouratov has kindly done the work of packaging pa_where and pa_comprehension, providing OASIS metada for them on the developer side (which should make easy to deploy and install them on any system) - https://bitbucket.org/cakeplus/pa_where/src - https://bitbucket.org/cakeplus/pa_comprehension/src and OPAM packages on the packaging side (which makes them practically easy to install through OPAM) - https://github.com/OCamlPro/opam-repository/tree/master/packages/pa_comprehension.0.4 - https://github.com/OCamlPro/opam-repository/tree/master/packages/pa_where.0.4 I'm not aware of ongoing work to package pa_string, but reusing the OASIS and OPAM metadata of those two extensions should make that very easy.
Thanks to Alp Mestan, we now include in the Caml Weekly News the links to the recent posts from the ocamlcore planet blog at http://planet.ocaml.org/. Issues with distributions, not only a Debian specific problem: http://blog.bentobako.org/index.php?post/2013/05/26/Issues-with-distributions%2C-not-only-a-Debian-specific-problem dirvish-stats: https://forge.ocamlcore.org/projects/dirvish-stats/ Optimisations you shouldn't do: http://www.ocamlpro.com/blog/2013/05/24/optimisations-you-shouldn-t-do.html OCaml-RDF 0.5: https://forge.ocamlcore.org/forum/forum.php?forum_id=878 Flowing faster: External memory: http://scattered-thoughts.net/blog/2013/05/21/flowing-faster-external-memory/
If you happen to miss a CWN, you can send me a message and I'll mail it to you, or go take a look at the archive or the RSS feed of the archives.
If you also wish to receive it every week by mail, you may subscribe online.