[cwn] Attn: Development Editor, Latest Caml Weekly News

Alan Schmitt alan.schmitt at polytechnique.org
Tue May 28 01:19:20 PDT 2013 

Hello,

Here is the latest Caml Weekly News, for the week of May 21 to 28, 2013.

1) French study on security and functional languages
2) OPAM: installing batteries pa_strings.
3) Other Caml News

========================================================================
1) French study on security and functional languages
Archive: <https://sympa.inria.fr/sympa/arc/caml-list/2013-05/msg00146.html>
------------------------------------------------------------------------
** David Mentré said:

For those reading French, ANSSI (French agency for information
security) published a study on security and functional languages, with
a set of recommendations. OCaml is apparently well studied:

<http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/lafosec-securite-et-langages-fonctionnels.html>

"""
Cette étude, menée par un consortium composé de Saferiver, Normation,
AMOSSYS et du CEDRIC dans le cadre formel d?un marché du SGDSN, avait
pour objectif principal d?étudier l?adéquation des langages
fonctionnels pour le développement d?applications de sécurité, de
proposer le cas échéant des recommandations, et de mettre en pratique
certaines de ces recommandations.
"""
      
** Fabrice Le Fessant said:

Some comments on this topic:

- LaFoSec is the second study funded by ANSSI (it was done by a consortium
of experts, among which many security experts and one of the main
developers of OCaml, so I would not take their recommendations
lightly, personally), the first one is JavaSec (
<http://www.ssi.gouv.fr/fr/anssi/publications/publications-scientifiques/autres-publications/securite-et-langage-java.html>),
so there is indeed a comparison between OCaml, other functional languages,
and imperative languages, showing that there are many more security
 problems with Java than with OCaml.

- LaFoSec was started in 2010, which explains why it focuses on OCaml 3.12.

- If some observations seem obvious (for smart people that you are ;-) ), a
lot of them are much less obvious (the fact for example that you can
discover a secrete key using polymorphic comparisons without breaking the
type system). Also, they give an interesting set of arguments for pushing
OCaml instead of other programming languages, so for me, they are really
going in the good direction, it's a very good thing for the OCaml community.

- There is a document that was also written, but has not been published (it
was described at the last JFLA'2013 seminar, also in French), providing a
set of recommendations to improve OCaml for security applications. I don't
know why it was not published with the other ones, maybe because it would
become obsolete faster than the other ones.
      
** Olivier Levillain also said:

For information, some of the results have been presented last February
during the JFLA (Journées francophones des langages applicatifs). The
slides presented are available on the conference web site
(<http://jfla.inria.fr/2013/programme.html>).
      
** Anil Madhavapeddy said and Olivier Levillain replied:

> I was very glad to see the release of the Parsifal code onto Github too:
> <https://github.com/ANSSI-FR/parsifal>
>
> It looks like you have done a lot of the work required towards building
> a pure OCaml SSL and Kerberos stack, as well as DNS and SSH parsers in
> there too. We were just discussing the lack of a pure OCaml SSL library
> for MirageOS (which already has a full reimplementation of device drivers
> and TCP/IP and HTTP, and is just missing the final SSL piece).

I'm glad to see you are interested in Parsifal. It was recently
published on GitHub and will be presented as a short paper at SSTIC 2013
(<https://www.sstic.org/2013>, not to be confused with SSTiC 2013).

However, this is still a project in development and I must warn you it
was first written to allow for writing quick and robust *parsers*. That
is why for the moment, the code essentially consists in the description
of some formats and protocols. We are beginning to work on animating
the protocols, but this will need a lot of work to get done properly.

Concerning the protocols you cite, here is the status :
- nearly all SSL/TLS messages and X.509 certificates are supported and
some test tools already exist (but only for the first handshake round-trip);
- Kerberos as you see it in the repository is at a very early stage but
more commits are coming once I have time to review them;
- DNS is working and I wrote a picodig version to make some requests
(but this one was easy: there is no real context in the protocol);
- We have not yet worked on SSH but it would be a good idea.
      
========================================================================
2) OPAM: installing batteries pa_strings.
Archive: <https://sympa.inria.fr/sympa/arc/caml-list/2013-05/msg00190.html>
------------------------------------------------------------------------
** Ivan Gotovchits asked and Gabriel Scherer replied:

> It seems that I'm the only person in the Internet having such problem.
>
> I do
> $ opam install batteries
> $ find -name 'pa_string*'
>
> Nothing is found.
>
> Batteries says nothing bad when installing everything seems work ok,
> except that no pa_ modules are installed. Though batteries.cma and
> batteriesThread.cma are installed...

Due to maintainance problems and lack of apparent interest among
users, Batteries 2.0 release got rid of its syntax extensions. See the
announcement here:

<https://lists.forge.ocamlcore.org/pipermail/batteries-devel/2012-November/001762.html>

If you care about any of the syntax extensions that were present, I
recommend that you package them separately.

Max Mouratov has kindly done the work of packaging pa_where and
pa_comprehension, providing OASIS metada for them on the developer
side (which should make easy to deploy and install them on any system)
- <https://bitbucket.org/cakeplus/pa_where/src>
- <https://bitbucket.org/cakeplus/pa_comprehension/src>
and OPAM packages on the packaging side (which makes them practically
easy to install through OPAM)
- <https://github.com/OCamlPro/opam-repository/tree/master/packages/pa_comprehension.0.4>
- <https://github.com/OCamlPro/opam-repository/tree/master/packages/pa_where.0.4>

I'm not aware of ongoing work to package pa_string, but reusing the
OASIS and OPAM metadata of those two extensions should make that very
easy.
      
========================================================================
3) Other Caml News
------------------------------------------------------------------------
** From the ocamlcore planet blog:

Thanks to Alp Mestan, we now include in the Caml Weekly News the links to the
recent posts from the ocamlcore planet blog at <http://planet.ocaml.org/>.

Issues with distributions, not only a Debian specific problem:
  <http://blog.bentobako.org/index.php?post/2013/05/26/Issues-with-distributions%2C-not-only-a-Debian-specific-problem>

dirvish-stats:
  <https://forge.ocamlcore.org/projects/dirvish-stats/>

Optimisations you shouldn't do:
  <http://www.ocamlpro.com/blog/2013/05/24/optimisations-you-shouldn-t-do.html>

OCaml-RDF 0.5:
  <https://forge.ocamlcore.org/forum/forum.php?forum_id=878>

Flowing faster: External memory:
  <http://scattered-thoughts.net/blog/2013/05/21/flowing-faster-external-memory/>
      
========================================================================
Old cwn
------------------------------------------------------------------------

If you happen to miss a CWN, you can send me a message
(alan.schmitt at polytechnique.org) and I'll mail it to you, or go take a look at
the archive (<http://alan.petitepomme.net/cwn/>) or the RSS feed of the
archives (<http://alan.petitepomme.net/cwn/cwn.rss>). If you also wish
to receive it every week by mail, you may subscribe online at
<http://lists.idyll.org/listinfo/caml-news-weekly/> .

========================================================================

More information about the caml-news-weekly mailing list