<div dir="ltr"><div class="gmail_quote"><div dir="ltr"><div><span style="font-family:monospace,monospace">Jason A. Donenfeld wrote:</span><br></div><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> Please stay away from this software, and generally be wary of
</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> closed-source WireGuard implementations trying to fill the void.<b> This
</b></span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap"><b>> one was written by a community-unfriendly proprietary author</b>, and
</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> we've got little way of ensuring protocol compliance or basic
</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> security. <b>Especially from my discussions from him, it's clear what
</b></span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap"><b>> he's up to, and this seems like some nastiness.</b> Should I spend my time
</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> reverse engineering this software and discovering zero-days? Probably
</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">> not a good use of my time, despite my usual love of this sort of</span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap"> thing.</span><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">First of all could you change tone a little bit, personal attacks and</span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">rudeness do </span></font><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">not have a place in those discussions unless you actually</span></div><div><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">back them up </span><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">with facts. </span></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">Never once during our IRC chat did I say something negative about you,</span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">instead I wrote several times that WireGuard was fanastic and you're</span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">an inspiring person. </span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap"><br></span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">I'd be happy to share IRC logs of our brief communication with this list</span></font></div><div><font color="#000000" face="monospace, monospace"><span style="white-space:pre-wrap">to prove my point, but your </span></font><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">attitude appears to be that everything that</span></div><div><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">is not open source, and </span><span style="white-space:pre-wrap;color:rgb(0,0,0);font-family:monospace,monospace">hosted under the WireGuard brand/webpage, is</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">community-</span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">unfriendly and nasty. Is that what you mean by community</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">unfriendly?</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">I said that if I release TunSafe I probably want it under my own </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">name,</span><br></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">on my own website, where I'm free to develop the project in any</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">direction I want, without pressure to release it as open source. </span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">I</span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap"> don't want to spend weeks </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">or </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">months </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">building a </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">client for </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">it to end</span></div><div><font face="monospace, monospace"><span style="color:rgb(0,0,0);white-space:pre-wrap">up on some semi-hidden </span><span style="color:rgb(0,0,0);white-space:pre-wrap">place </span><span style="color:rgb(0,0,0);white-space:pre-wrap">on </span><a href="http://wireguard.com" target="_blank" style="white-space:pre-wrap">wireguard.com</a> just because you</font></div><div><font face="monospace, monospace">prefer Rust or Go, </font><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">where </span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">my contribution may </span><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">get diminished into</span></div><div><span style="font-family:monospace,monospace;color:rgb(0,0,0);white-space:pre-wrap">nothing at all. </span></div><div><br></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">How would you deal with Microsoft if they wanted to add a closed</span><br></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">source implementation of WireGuard in Windows. Would they also</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">be considered a community-unfriendly proprietary author with a </span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">clear agenda of nastiness?</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">Is this how you envision how things would work should WireGuard</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">become a </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">future RFC / Internet Standard? The only accepted</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">implementation would be that one from yourself? No companies</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">would be allowed to implement it or take part in discussions?</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">This is not </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">how Internet protocols typically work.</span></div><div><br></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">Given these constraints, I'm happy to participate in whatever </span><br></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">protocol discussions or community related questions that I'm </span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">in the capacity to answer or contribute to.</span></div><div><br></div><div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">I totally understand your point about open source applications</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">being easier to audit, especially important when it's related</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">to security. I share this view, and will address it eventually,</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">in some way. Either just the wireguard protocol layer or the</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">whole </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">UI too.</span></div></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap"><br></span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">Though, your behavior this past day has confirmed even more that</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">I'm not </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">interested in being a slave in a dictatorship. You've</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">ignored </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">my attempts at communications for 2 weeks. You ban me</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">from #wireguard </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">IRC even though I haven't talked there for weeks,</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">but just because I'm in there and not being as much of a </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">die-hard</span></div><div><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">open-source </span><span style="color:rgb(0,0,0);font-family:monospace,monospace;white-space:pre-wrap">evangelist as you are.</span></div><div><br></div><div><span style="font-family:monospace,monospace">Jason A. Donenfeld wrote:</span><br></div><div><span style="color:rgb(0,0,0);white-space:pre-wrap;font-family:monospace,monospace">> This isn't the source code of tunsafe. This is the source code of the
</span><span style="color:rgb(0,0,0);white-space:pre-wrap;font-family:monospace,monospace">> OpenVPN Windows tuntap kernel driver, </span><b style="color:rgb(0,0,0);white-space:pre-wrap;font-family:monospace,monospace">which has been hacked up in
</b><b style="color:rgb(0,0,0);white-space:pre-wrap;font-family:monospace,monospace">> various ways for tunsafe</b><span style="color:rgb(0,0,0);white-space:pre-wrap;font-family:monospace,monospace">. That's a super scary driver, by the way.</span></div><div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">
Incorrect. The driver files are not modified at all. They still</font></div><div><font face="monospace, monospace">carry OpenVPN's codesigning signature. You can see this on the</font></div><div><font face="monospace, monospace">driver install prompt:</font></div><div><span style="font-family:monospace,monospace"><a href="https://tunsafe.com/img/quickstart-driver-confirm.png" target="_blank">https://tunsafe.com/img/quicks<wbr>tart-driver-confirm.png</a></span><br></div><div><span style="font-family:monospace,monospace"><br></span></div><div><span style="font-family:monospace,monospace">I agree that the driver is scary, I think I even found some </span></div><div><span style="font-family:monospace,monospace">potential OOB </span><span style="font-family:monospace,monospace">memory accesses in it from a quick glance. However, </span></div><div><span style="font-family:monospace,monospace">this is the best driver the </span><span style="font-family:monospace,monospace">community has at this point in time,</span></div><div><span style="font-family:monospace,monospace">and even your own userspace </span><span style="font-family:monospace,monospace">implementations of WG use it. I'd</span></div><div><span style="font-family:monospace,monospace">be happy to improve it but then I need an expensive driver</span></div><div><font face="monospace, monospace">codesigning certificate in order to load it into the kernel.</font></div><div><font face="monospace, monospace"><br></font></div></div><div><font face="monospace, monospace">/Ludde</font></div><div><br></div></div>
</div><br></div>