opensc-devel — discussion of developement of OpenSC and related projects

[Opensc-devel] libp11: deprecation of PKCS11_generate_key

[Eliot R. <eli...@er...>]

Regarding the deprecation of PKCS11_generate_key in libp11
(pkcs11_engine),

To generate keypairs in an HSM, I am currently using OpenSSL and
libp11. This is possible from OpenSSL by calling the pkcs11 engine with
control command "KEYPAIR_GEN_CTRL". However, since this functionality (
PKCS11_generate_key) is said to be deprecated in libp11 0.5.0, I ask if
there is another way of doing this.

As far as I understand, unlike the other functions which are to be
deprecated, to generate keys inside of the HSM is not supported
directly by OpenSSL. There must be something I am missing.

Naturally, it would be possible to generate the keys outside of the HSM
and then store them therein, but this is of course not acceptable for
security reasons.

Best regards,
Eliot Roxbergh

Re: [Opensc-devel] Policy on new card driver based on reverse engineering

[Carsten B. <ch...@po...>]

Hello Jarl,

this is my private view, I'm not an OpenSC maintainer, just a 
contributor/user and driver author https://github.com/carblue/acos5:

I don't know Your card "Gemalto Instant EID IP10" and what OpenSC may 
perhaps provide already for that.

If actually a new implementation is required,

then I can help in general with guidance how to do that from my own 
experience. Akin to Your situation I had almost no knowledge about 
cryptography/smartcard and all the other stuff that needs to be 
mastered: There is a hard and interesting task waiting for You, probably 
not solvable in a few week's spare time. I would say, the biggest part 
is integrating all Your knowledge about the card into the OpenSC 
software framework (with Your new driver). Sadly that is only sparsely 
documented, e.g. 
https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver, well, 
it's a starting point, but it's ~ 0.01% of the information required. 
There is a problem when referring to other driver's code, when You don't 
know those card's properties. But in case, You know that Your card is 
very similar to supported card xyz, then the job may be easy, based on a 
copy of card driver xyz.

I assume, Your intention isn't that kind of reverse 
engineering/decompiling, that attracts code author lawyer's attention 
(why else the existing PKCS#11 module is proprietary and presumably has 
some license terms that tell something about reverse 
engineering/decompiling. You would need to check that), *but* it 
probably won't help You much anyway:

You can always inspect the APDU command communication on PC/SC level, 
IIRC with http://ludovic.rousseau.free.fr/softwares/pcsc-tools. I used 
that once i.o. to see, what my card's vendor software does differently 
from described in card's reference manual. So this is the essential 
document that You need, likely no chance at all without that. It 
describes in detail card's commands available, card's properties, file 
types, control reference templates, manage security environment, how to 
do secure messaging (if applicable), how are files protectable by card's 
security access control and a lot more. When You have that manual and 
want more help, send it to an interested OpenSC maintainer and me.

The link and decompiling: Well, it's a lot of swedish that I sadly don't 
understand. And even if You could - with the help of expensive tools - 
unrealistically assumed, see the original proprietary source code: That 
still won't help You much, less than an expressive card reference manual 
and in-depth knowledge of OpenSC code.

Next to the OpenSC wiki, these links might help:

http://cedric.dufour.name/blah/IT/SmartCardsOverview.html

http://cedric.dufour.name/blah/IT/SmartCardsHowto.html


Am 28.11.20 um 11:03 schrieb Jarl Gullberg:
> Correction; the included link is just their userspace application. The
> actual module is available from their customers, such as Telia, and
> has been redistributed via an ubuntu ppa :
> https://launchpad.net/~ubuntu-se/+archive/ubuntu/netid
>
> On Sat, 28 Nov 2020 at 11:01, Jarl Gullberg <jar...@gm...> wrote:
>> Hi,
>>
>> To start with, I apologize for any etiquette or usage issues here on
>> the mailing list on my behalf - I think I've only ever used a mailing
>> list once before.
>>
>> I've got a question in regards to implementing a new driver for a card
>> that's currently unsupported by OpenSC, but one that I have a
>> proprietary PKCS#11 module for. I don't have the source code, nor any
>> technical documentation that would describe the workings of the
>> driver, but using the module I can successfully interact with the card
>> using pkcs11-tool.
>>
>> The card in question is a Gemalto Instant EID IP10, a card commonly
>> used by Swedish authorities (including the military) and as a
>> bank-issued electronic identification card. It's a JavaCard v2-based
>> platform, with Gemalto's IDPrime applet (as far as googling has told
>> me, anyway). I'm quite new to the world of smartcards, but it would be
>> a great help if this card had support in OpenSC. BankID has become the
>> de facto standard for electronic identification here in Sweden, and
>> I'd be very helped at my workplace if the card was supported.
>>
>> What is the OpenSC policy on reverse engineering a new driver from a
>> proprietary module, either by decompiling the binary itself, or by
>> sniffing the traffic between the driver and the card? I'd be up for
>> implementing it myself or providing as much assistance as I can,
>> provided I get some guidance on how to actually do that - I've got
>> access to both a compatible reader, a set of IP10 cards (which I
>> bought because I thought they were of a different model, go me), as
>> well as the PKCS#11 module that talks to them.
>>
>> The module can be downloaded freely from Secmaker, the company behind
>> a fair bit of the technology involved, as "Net iD Access" for Linux,
>> Mac, Windows, iOS, and Android at
>> https://service.secmaker.com/access/apps.aspx.
>>
>> Thanks!
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Policy on new card driver based on reverse engineering

[Jarl G. <jar...@gm...>]

Correction; the included link is just their userspace application. The
actual module is available from their customers, such as Telia, and
has been redistributed via an ubuntu ppa :
https://launchpad.net/~ubuntu-se/+archive/ubuntu/netid

On Sat, 28 Nov 2020 at 11:01, Jarl Gullberg <jar...@gm...> wrote:
>
> Hi,
>
> To start with, I apologize for any etiquette or usage issues here on
> the mailing list on my behalf - I think I've only ever used a mailing
> list once before.
>
> I've got a question in regards to implementing a new driver for a card
> that's currently unsupported by OpenSC, but one that I have a
> proprietary PKCS#11 module for. I don't have the source code, nor any
> technical documentation that would describe the workings of the
> driver, but using the module I can successfully interact with the card
> using pkcs11-tool.
>
> The card in question is a Gemalto Instant EID IP10, a card commonly
> used by Swedish authorities (including the military) and as a
> bank-issued electronic identification card. It's a JavaCard v2-based
> platform, with Gemalto's IDPrime applet (as far as googling has told
> me, anyway). I'm quite new to the world of smartcards, but it would be
> a great help if this card had support in OpenSC. BankID has become the
> de facto standard for electronic identification here in Sweden, and
> I'd be very helped at my workplace if the card was supported.
>
> What is the OpenSC policy on reverse engineering a new driver from a
> proprietary module, either by decompiling the binary itself, or by
> sniffing the traffic between the driver and the card? I'd be up for
> implementing it myself or providing as much assistance as I can,
> provided I get some guidance on how to actually do that - I've got
> access to both a compatible reader, a set of IP10 cards (which I
> bought because I thought they were of a different model, go me), as
> well as the PKCS#11 module that talks to them.
>
> The module can be downloaded freely from Secmaker, the company behind
> a fair bit of the technology involved, as "Net iD Access" for Linux,
> Mac, Windows, iOS, and Android at
> https://service.secmaker.com/access/apps.aspx.
>
> Thanks!

[Opensc-devel] Policy on new card driver based on reverse engineering

[Jarl G. <jar...@gm...>]

Hi,

To start with, I apologize for any etiquette or usage issues here on
the mailing list on my behalf - I think I've only ever used a mailing
list once before.

I've got a question in regards to implementing a new driver for a card
that's currently unsupported by OpenSC, but one that I have a
proprietary PKCS#11 module for. I don't have the source code, nor any
technical documentation that would describe the workings of the
driver, but using the module I can successfully interact with the card
using pkcs11-tool.

The card in question is a Gemalto Instant EID IP10, a card commonly
used by Swedish authorities (including the military) and as a
bank-issued electronic identification card. It's a JavaCard v2-based
platform, with Gemalto's IDPrime applet (as far as googling has told
me, anyway). I'm quite new to the world of smartcards, but it would be
a great help if this card had support in OpenSC. BankID has become the
de facto standard for electronic identification here in Sweden, and
I'd be very helped at my workplace if the card was supported.

What is the OpenSC policy on reverse engineering a new driver from a
proprietary module, either by decompiling the binary itself, or by
sniffing the traffic between the driver and the card? I'd be up for
implementing it myself or providing as much assistance as I can,
provided I get some guidance on how to actually do that - I've got
access to both a compatible reader, a set of IP10 cards (which I
bought because I thought they were of a different model, go me), as
well as the PKCS#11 module that talks to them.

The module can be downloaded freely from Secmaker, the company behind
a fair bit of the technology involved, as "Net iD Access" for Linux,
Mac, Windows, iOS, and Android at
https://service.secmaker.com/access/apps.aspx.

Thanks!

[Opensc-devel] OpenSC 0.21.0 released

[Frank M. <fra...@gm...>]

Hi all!

I'm happy to finally announce the new release 0.21.0 of OpenSC
<https://github.com/OpenSC/OpenSC/releases/tag/0.21.0>. You can read a full
summary of the changes and get the release binaries on GitHub. We recommend
upgrading your installation, most notably for fixing CVE-2020-26570,
CVE-2020-26571 and CVE-2020-26572.

We've not only focused on fixing many bugs with different cards and
environments from a variety of vendors. This release also adds support for
two new types of tokens, Gemalto IDPrime and Polish eID card (e-dowód, eDO).

Regards,
Frank Morgner.

Re: [Opensc-devel] OpenSC doesn't support symmetric decrypt/encrypt operations

[<J.W...@mi...>]

Isn’t asymmetrical encrypt & decrypt enough?



From: "carblue" <ka6...@on...<mailto:ka6...@on...>>
Date: Monday, 16 November 2020 at 13:48:48
To: "Ope...@li..." <Ope...@li...<mailto:Ope...@li...>>
Subject: [Opensc-devel] OpenSC doesn't support symmetric decrypt/encrypt operations

Hi all,

I would like to know from OpenSC maintainers/users, whether there is
interest in implementing

"OpenSC support of symmetric decrypt/encrypt operations done by cards
capable to do that".

As Hannu Honkanen pointed out in
https://github.com/OpenSC/OpenSC/issues/1796/#issuecomment-536728933

"(Symmetric) keys can be loaded using pkcs15-init and symmetric keys can
be used to wrap/unwrap keys but not for just doing encryption. It could
be implemented in quite similar way as the wrap/unwrap ...".

With such support available I think of this use case: I could
implement/fix #1796  testing 'key unwrap' in pkcs11.tool, that is most
meaningful with my ACOS5 card, i.e. test C_UnwrapKey + sym. key arrived
on-card and is cryptographically usable: E.g. create some random AES key
in memory, encrypt some test message with that key via OpenSSL, wrap the
AES key by means of a public RSA key from card, call C_UnwrapKey and -
supposed that stores the unwrapped AES key to card and cos is able to
sym. decrypt (true for acos5) - decrypt the encrypted test message with
the unwrapped AES key by an on-card operation, and finally compare that
to original/plain test message. There would probably also be other code
branches depending on how cards handle the unwrapped key (session object
/ in-memory object? / CKA_TOKEN / CKA_EXTRACTABLE).

Hence, if there is positive feedback, then I will start such an
implementation at
https://github.com/carblue/OpenSC-1/tree/sym_hw_encrypt  and possibly
others join in.

I haven't yet looked deeply into that area of OpenSC code, but this
question arises: I assume, the existing sc_card_operations:decipher is
reserved for asym. key operation, so there is a need for 2 new
sc_card_operations: Proposal:

encrypt / decrypt

Any ideas / comments / proposals ?


Cheers, Carsten Blüggel (carblue)







_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

[Opensc-devel] OpenSC doesn't support symmetric decrypt/encrypt operations

[carblue <ka6...@on...>]

Hi all,

I would like to know from OpenSC maintainers/users, whether there is 
interest in implementing

"OpenSC support of symmetric decrypt/encrypt operations done by cards 
capable to do that".

As Hannu Honkanen pointed out in 
https://github.com/OpenSC/OpenSC/issues/1796/#issuecomment-536728933

"(Symmetric) keys can be loaded using pkcs15-init and symmetric keys can 
be used to wrap/unwrap keys but not for just doing encryption. It could 
be implemented in quite similar way as the wrap/unwrap ...".

With such support available I think of this use case: I could 
implement/fix #1796  testing 'key unwrap' in pkcs11.tool, that is most 
meaningful with my ACOS5 card, i.e. test C_UnwrapKey + sym. key arrived 
on-card and is cryptographically usable: E.g. create some random AES key 
in memory, encrypt some test message with that key via OpenSSL, wrap the 
AES key by means of a public RSA key from card, call C_UnwrapKey and - 
supposed that stores the unwrapped AES key to card and cos is able to 
sym. decrypt (true for acos5) - decrypt the encrypted test message with 
the unwrapped AES key by an on-card operation, and finally compare that 
to original/plain test message. There would probably also be other code 
branches depending on how cards handle the unwrapped key (session object 
/ in-memory object? / CKA_TOKEN / CKA_EXTRACTABLE).

Hence, if there is positive feedback, then I will start such an 
implementation at 
https://github.com/carblue/OpenSC-1/tree/sym_hw_encrypt  and possibly 
others join in.

I haven't yet looked deeply into that area of OpenSC code, but this 
question arises: I assume, the existing sc_card_operations:decipher is 
reserved for asym. key operation, so there is a need for 2 new 
sc_card_operations: Proposal:

encrypt / decrypt

Any ideas / comments / proposals ?


Cheers, Carsten Blüggel (carblue)

Re: [Opensc-devel] Chrome gets stuck and firefox won't open until stopping/restarting pcscd or unplugging CAC reader

[Douglas E E. <dee...@gm...>]

This may have been fixed in 0.21.0 release candidates.

https://github.com/OpenSC/OpenSC/releases/tag/0.21.0-rc2

There were a lot of changes made to deal with PKCS11 and NSS handling of slots.
#1975, #1935, #1961 and #1970 and maybe others.

This could also have someting to do with the setting in opensc.conf dealing with
exclusive use of a card by one application.


On 11/12/2020 8:11 AM, Daffy Duck wrote:
> Hello,
> 
> I have Fedora 33, 64 bit.  It started with F32.
> 
> SCR3310 card reader.
> 
> For months now, I am constantly having the problem of being in Chrome and web pages timing out until I stop, and sometimes restart, etc
> pcscd.  At the same time, when this is occuring, firefox will not open.
> 
> Once I either restart it or stop pcscd process, or sometimes if I unplug the CAC reader, things work normally
> again for a time.
> 
> Any ideas?
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Chrome gets stuck and firefox won't open until stopping/restarting pcscd or unplugging CAC reader

[carblue <ka6...@on...>]

Hi,

ref. "firefox will not open"

This seems to happen when the OpenSC module is defined in the 
"cryptographic module settings */ ***Security Devices" (don't know the 
exact naming in english for Firefox/Thunderbird)

*and* something is not perfect with the specific card driver running for 
OpenSC.

Due to recurring traffic between smart card and Firefox/Thunderbird 
(even if seemingly not necessary) I'm used to remove the OpenSC module 
from "Security Devices", and only add it when required.

Then recently, I tested the (obviously not properly working) Windows 
build of my external card driver, unnoticed that the Win-OpenSC v0.20.0 
complete install automatically adds the OpenSC module as security device 
via autostart, and  => Firefox did not open !

I don't have that "firefox will not open" problem with Kubuntu 18.04.5, 
for which the card driver build works well (even with 
OpenSC-0.21.0-rc2), irrespective of "Security Devices".

Regards, carblue, Carsten Blüggel

Re: [Opensc-devel] Chrome gets stuck and firefox won't open until stopping/restarting pcscd or unplugging CAC reader

[Frank M. <fra...@gm...>]

Maybe sending a debug log and opening an issue on Github could help, see
https://github.com/OpenSC/OpenSC/wiki/How-to-write-a-good-bug-report

Regards, Frank.


Am Do., 12. Nov. 2020 um 15:12 Uhr schrieb Daffy Duck <
suf...@gm...>:

> Hello,
>
> I have Fedora 33, 64 bit.  It started with F32.
>
> SCR3310 card reader.
>
> For months now, I am constantly having the problem of being in Chrome and
> web pages timing out until I stop, and sometimes restart, etc
> pcscd.  At the same time, when this is occuring, firefox will not open.
>
> Once I either restart it or stop pcscd process, or sometimes if I unplug
> the CAC reader, things work normally
> again for a time.
>
> Any ideas?
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] Chrome gets stuck and firefox won't open until stopping/restarting pcscd or unplugging CAC reader

[Daffy D. <suf...@gm...>]

Hello,

I have Fedora 33, 64 bit.  It started with F32.

SCR3310 card reader.

For months now, I am constantly having the problem of being in
Chrome and web pages timing out until I stop, and sometimes restart,
etc
pcscd.  At the same time, when this is occuring, firefox will not open.

Once I either restart it or stop pcscd process, or sometimes if I
unplug the CAC reader, things work normally
again for a time.

Any ideas?

Re: [Opensc-devel] OpenSC 0.21.0 release candidate 1

[Frank M. <fra...@gm...>]

Hi all!

You can find a second release candidate for version 0.21.0 for testing on
Github

https://github.com/OpenSC/OpenSC/releases/tag/0.21.0-rc2

This time, it also includes binaries for macOS, which are not (yet)
notarized. In my tests, however, PKCS#11, tokend and CTK are fully
functional anyway.

Regards,
Frank.


Am Mo., 5. Okt. 2020 um 09:00 Uhr schrieb Frank Morgner <
fra...@gm...>:

> Hi all!
>
> You can find a release candidate for version 0.21.0 for testing on Github
>
> https://github.com/OpenSC/OpenSC/releases/tag/0.21.0-rc1
>
> We are looking forward about your feedback. Advices for systematic testing
> can be found here
> https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing
>
> Regards,
> Frank.
>

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Frank M. <fra...@gm...>]

Thanks for all the pointers and inputs.

I've reverted the Nightly repository to not use the LFS extensions.
Instead, large binaries are split up into 50MB chunks via `split`.
This can be easily reassembled on all platforms, so no further .action
regarding hosting/billing or similar is needed.

However, since I'm now in contact with Github, let's see if some
things may get easier in the future...

Regards, Frank.

Am Di., 27. Okt. 2020 um 08:01 Uhr schrieb z <mis...@gm...>:
>
> I would be happy to contribute with money if that would solve the problem.
> Unfortunately paying is not a solution, as for ransomware. The Git LFS
> pricing model is a scam!
>
> The problem is that bandwidth usage is counted for all LFS downloads,
> _including from forks_! Which makes it completely useless other than for
> private repos. This was neatly described already five years ago in "GitHub’s
> Large File Storage is no panacea for Open Source" by Stephane Peter,
> https://medium.com/@megastep/github-s-large-file-storage-is-no-panacea-for-open-source-quite-the-opposite-12c0e16a9a91.
>
> The conclusion for OpenSC is that using LFS on github is not an option.
> Assuming that migrating from github is out of the question, we have the
> following options:
> 1. Investigate if splitted dmg files can be created (with hdiutil segment,
> files named xxx.dmgpart) and mounted as a single disk image without the need
> to recombine.
> 2. Using an archive format (such as zip) for splitting the files in smaller
> chunks, letting the user recreate the dmg before use.
> 3. Storing large files on an external provider and using scripts or git
> hooks to download them after repo checkout.
>
> pCloud has 10 GB free storage (https://www.pcloud.com/)
>
> Zoltan Kelemen
>
> -----Original Message-----
> From: Douglas E Engert
> Sent: Tuesday, October 27, 2020 12:10 AM
> To: ope...@li...
> Subject: Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for
> OpenSC
>
> I too do not make any money from OpenSC. I retired 5 year ago.
>
> It looks like the problem is with using LFS a few days ago, to handle
> the large MacOS DMG file.
>
> Frank said: "Does anyone have a better idea?"
>
> Short term would be to pay $5 for this month.
>
> Long term would be find a different way to distribute the MacOS DMG like
> some free FTP site.
> (I don't know of any.) I would not expect an linux distro to host a MacOS
> distribution.
> Does Apple have such a site?
>
> Or split the DMG up in to smaller pieces.
>
> Make MacOS users build their own DMG.
>
> Don't build more then 20 times a month. But LFS usage may also include
> people
> downloading the DMG file, so that that may make free LFS completely useless.
>
>
>
> On 10/26/2020 12:36 PM, Ludovic Rousseau wrote:
> > Le dim. 25 oct. 2020 à 00:33, Douglas E Engert <dee...@gm...> a
> > écrit :
> >>
> >> Yes. someone pay the $5/month. Someone who is making a living to work on
> >> OpenSC.
> >
> > I do not make any money from OpenSC :-)
> >
> > I now received:
> > Git LFS has been disabled on the organization OpenSC because you’ve
> > exceeded your data plan by at least 150%. Please purchase additional
> > data packs to cover your bandwidth and storage usage:
> >
> >    https://github.com/organizations/OpenSC/billing/data/upgrade
> >
> > Current usage as of 26 Oct 2020 04:40PM UTC:
> >
> >    Bandwidth: 1.51 GB / 1 GB (151%)
> >    Storage: 0.76 GB / 1 GB (76%)
> >
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[NdK <ndk...@gm...>]

Il 27/10/20 08:00, z ha scritto:

> 3. Storing large files on an external provider and using scripts or git
> hooks to download them after repo checkout.
I have a personale site on Aruba where I could "mirror" the files.
If it could be useful...

BYtE,
 Diego

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Ludovic R. <lud...@gm...>]

Le mar. 27 oct. 2020 à 08:01, z <mis...@gm...> a écrit :
> 3. Storing large files on an external provider and using scripts or git
> hooks to download them after repo checkout.

There is an OpenSC project at sourceforge.net with some old files (from 2016).
https://sourceforge.net/projects/opensc/files/OpenSC/

AFAIK sourceforge is still free (as in free beer) but adds advertising
and sometimes "malicious" software.
I am one of the admins of the sourceforge OpenSC project.

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Christian F. <pu...@fe...>]

Hi,

Gitlab offers an Open Source program. Is it considerable to move project 
from Github tu Gitlab?

Christian

Am 26.10.20 um 18:36 schrieb Ludovic Rousseau:
>> Yes. someone pay the $5/month. Someone who is making a living to work on OpenSC.

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[z <mis...@gm...>]

I would be happy to contribute with money if that would solve the problem. 
Unfortunately paying is not a solution, as for ransomware. The Git LFS 
pricing model is a scam!

The problem is that bandwidth usage is counted for all LFS downloads, 
_including from forks_! Which makes it completely useless other than for 
private repos. This was neatly described already five years ago in "GitHub’s 
Large File Storage is no panacea for Open Source" by Stephane Peter, 
https://medium.com/@megastep/github-s-large-file-storage-is-no-panacea-for-open-source-quite-the-opposite-12c0e16a9a91.

The conclusion for OpenSC is that using LFS on github is not an option. 
Assuming that migrating from github is out of the question, we have the 
following options:
1. Investigate if splitted dmg files can be created (with hdiutil segment, 
files named xxx.dmgpart) and mounted as a single disk image without the need 
to recombine.
2. Using an archive format (such as zip) for splitting the files in smaller 
chunks, letting the user recreate the dmg before use.
3. Storing large files on an external provider and using scripts or git 
hooks to download them after repo checkout.

pCloud has 10 GB free storage (https://www.pcloud.com/)

Zoltan Kelemen

-----Original Message----- 
From: Douglas E Engert
Sent: Tuesday, October 27, 2020 12:10 AM
To: ope...@li...
Subject: Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for 
OpenSC

I too do not make any money from OpenSC. I retired 5 year ago.

It looks like the problem is with using LFS a few days ago, to handle
the large MacOS DMG file.

Frank said: "Does anyone have a better idea?"

Short term would be to pay $5 for this month.

Long term would be find a different way to distribute the MacOS DMG like 
some free FTP site.
(I don't know of any.) I would not expect an linux distro to host a MacOS 
distribution.
Does Apple have such a site?

Or split the DMG up in to smaller pieces.

Make MacOS users build their own DMG.

Don't build more then 20 times a month. But LFS usage may also include 
people
downloading the DMG file, so that that may make free LFS completely useless.



On 10/26/2020 12:36 PM, Ludovic Rousseau wrote:
> Le dim. 25 oct. 2020 à 00:33, Douglas E Engert <dee...@gm...> a 
> écrit :
>>
>> Yes. someone pay the $5/month. Someone who is making a living to work on 
>> OpenSC.
>
> I do not make any money from OpenSC :-)
>
> I now received:
> Git LFS has been disabled on the organization OpenSC because you’ve
> exceeded your data plan by at least 150%. Please purchase additional
> data packs to cover your bandwidth and storage usage:
>
>    https://github.com/organizations/OpenSC/billing/data/upgrade
>
> Current usage as of 26 Oct 2020 04:40PM UTC:
>
>    Bandwidth: 1.51 GB / 1 GB (151%)
>    Storage: 0.76 GB / 1 GB (76%)
>

-- 

  Douglas E. Engert  <DEE...@gm...>



_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel 

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Douglas E E. <dee...@gm...>]

I too do not make any money from OpenSC. I retired 5 year ago.

It looks like the problem is with using LFS a few days ago, to handle
the large MacOS DMG file.

Frank said: "Does anyone have a better idea?"

Short term would be to pay $5 for this month.

Long term would be find a different way to distribute the MacOS DMG like some free FTP site.
(I don't know of any.) I would not expect an linux distro to host a MacOS distribution.
Does Apple have such a site?

Or split the DMG up in to smaller pieces.

Make MacOS users build their own DMG.

Don't build more then 20 times a month. But LFS usage may also include people
downloading the DMG file, so that that may make free LFS completely useless.



On 10/26/2020 12:36 PM, Ludovic Rousseau wrote:
> Le dim. 25 oct. 2020 à 00:33, Douglas E Engert <dee...@gm...> a écrit :
>>
>> Yes. someone pay the $5/month. Someone who is making a living to work on OpenSC.
> 
> I do not make any money from OpenSC :-)
> 
> I now received:
> Git LFS has been disabled on the organization OpenSC because you’ve
> exceeded your data plan by at least 150%. Please purchase additional
> data packs to cover your bandwidth and storage usage:
> 
>    https://github.com/organizations/OpenSC/billing/data/upgrade
> 
> Current usage as of 26 Oct 2020 04:40PM UTC:
> 
>    Bandwidth: 1.51 GB / 1 GB (151%)
>    Storage: 0.76 GB / 1 GB (76%)
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Ludovic R. <lud...@gm...>]

Le dim. 25 oct. 2020 à 00:33, Douglas E Engert <dee...@gm...> a écrit :
>
> Yes. someone pay the $5/month. Someone who is making a living to work on OpenSC.

I do not make any money from OpenSC :-)

I now received:
Git LFS has been disabled on the organization OpenSC because you’ve
exceeded your data plan by at least 150%. Please purchase additional
data packs to cover your bandwidth and storage usage:

  https://github.com/organizations/OpenSC/billing/data/upgrade

Current usage as of 26 Oct 2020 04:40PM UTC:

  Bandwidth: 1.51 GB / 1 GB (151%)
  Storage: 0.76 GB / 1 GB (76%)

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Douglas E E. <dee...@gm...>]

Yes. someone pay the $5/month. Someone who is making a living to work on OpenSC.


On 10/24/2020 4:44 PM, Frank Morgner wrote:
> I've changed the repository for nightly builds to use lfs two days
> ago, because macOS' build is above 50 MB, which is the maximum
> filesize of a file in a standard git repository. If I remove LFS
> usage, we can't upload the dmg file, if I change the repository to
> track only dmg files via lfs, this exceeds the capacity after 20
> builds, both options are unsatisfying.
> 
> Does anyone have a better idea?
> 
> Regards, Frank.
> 
> Am Sa., 24. Okt. 2020 um 23:33 Uhr schrieb Ludovic Rousseau
> <lud...@gm...>:
>>
>> Hello,
>>
>> Le sam. 24 oct. 2020 à 21:39, Douglas E Engert <dee...@gm...> a écrit :
>>>
>>> I get a 404 with these:
>>> https://github.com/organizations/OpenSC/billing/data/upgrade
>>> https://github.com/organizations/OpenSC
>>> https://github.com/organizations
>>>
>>>
>>> But then again, I am not an "Owner" OpenSC, so may not be able to see the above.
>>>
>>> BUT
>>> This could have been a scam if someone created an organization called organizations
>>> They could then get enough info to produce the email below.
>>
>> I don't think that is a scam.
>> I am in other organizations and the URL is also
>> https://github.com/organizations/xyz/settings/billing
>>
>>> Github may have found and stopped this.
>>
>> It looks like I am the only one configured as billing manager for
>> OpenSC. See attached PDF.
>> That is NOT a good idea. We should be at least 2 or more in this position.
>> I sent an invitation to Frank Morgner.
>>
>> I think the problem is really with OpenSC use of github.
>> Maybe we could delete all the *old* rc releases that are not really useful?
>> I don't know exactly what is concerned by "Git LFS Data" for OpenSC projects.
>> Maybe OpenSC is too popular and too many people are downloading files? :-)
>> Or someone has configured a tool that does too many downloads?
>>
>> Bye
>>
>> --
>>   Dr. Ludovic Rousseau
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Douglas E E. <dee...@gm...>]

These say how to increase bandwith per month.

https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-billing-and-payments-on-github/upgrading-git-large-file-storage


https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-billing-and-payments-on-github/about-billing-for-git-large-file-storage

For free we only get 1 GB/month. For $5/month we get 50 GB/month (and 50 GB of storage)

Note these limits are for all the OpenSC organization. I read this to mean all the repositories under OpenSC.

It also says:
"Bandwidth and storage usage only count against the repository owner's quotas. In forks, bandwidth
  and storage usage count against the root of the repository network. Anyone with write access to a
  repository can push files to Git LFS without affecting their personal bandwidth and storage quotas or
  purchasing data packs. Forking and pulling a repository counts against the parent repository's
  bandwidth limit."

OpenSC/OpenSC has 541 forks. If pulling counts against the parent repository's and some of them are pulling 0.21.0-rc1
that could be a large part of bandwidth. (I can not see the statistics


We have 11 repositories, one of which is Nighly. Every night creates a new branch and it has 2 forks. So someone
maybe pulling it ever night. And others may be trying 0.21.0-rc1.
This includes MSI and DEB for release and light and 64bit and 32 bit, and travis-CI built OpenSC-0.21.0-rc1.exe
and source tar.gz.

I would suggest that one of the owners (You, Frank, Martin and Vicktor) setup how to pay $5/month.


On 10/24/2020 4:32 PM, Ludovic Rousseau wrote:
> Hello,
> 
> Le sam. 24 oct. 2020 à 21:39, Douglas E Engert <dee...@gm...> a écrit :
>>
>> I get a 404 with these:
>> https://github.com/organizations/OpenSC/billing/data/upgrade
>> https://github.com/organizations/OpenSC
>> https://github.com/organizations
>>
>>
>> But then again, I am not an "Owner" OpenSC, so may not be able to see the above.
>>
>> BUT
>> This could have been a scam if someone created an organization called organizations
>> They could then get enough info to produce the email below.
> 
> I don't think that is a scam.
> I am in other organizations and the URL is also
> https://github.com/organizations/xyz/settings/billing
> 
>> Github may have found and stopped this.
> 
> It looks like I am the only one configured as billing manager for
> OpenSC. See attached PDF.
> That is NOT a good idea. We should be at least 2 or more in this position.
> I sent an invitation to Frank Morgner.
> 
> I think the problem is really with OpenSC use of github.
> Maybe we could delete all the *old* rc releases that are not really useful?
> I don't know exactly what is concerned by "Git LFS Data" for OpenSC projects.
> Maybe OpenSC is too popular and too many people are downloading files? :-)
> Or someone has configured a tool that does too many downloads?
> 
> Bye
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Frank M. <fra...@gm...>]

I've changed the repository for nightly builds to use lfs two days
ago, because macOS' build is above 50 MB, which is the maximum
filesize of a file in a standard git repository. If I remove LFS
usage, we can't upload the dmg file, if I change the repository to
track only dmg files via lfs, this exceeds the capacity after 20
builds, both options are unsatisfying.

Does anyone have a better idea?

Regards, Frank.

Am Sa., 24. Okt. 2020 um 23:33 Uhr schrieb Ludovic Rousseau
<lud...@gm...>:
>
> Hello,
>
> Le sam. 24 oct. 2020 à 21:39, Douglas E Engert <dee...@gm...> a écrit :
> >
> > I get a 404 with these:
> > https://github.com/organizations/OpenSC/billing/data/upgrade
> > https://github.com/organizations/OpenSC
> > https://github.com/organizations
> >
> >
> > But then again, I am not an "Owner" OpenSC, so may not be able to see the above.
> >
> > BUT
> > This could have been a scam if someone created an organization called organizations
> > They could then get enough info to produce the email below.
>
> I don't think that is a scam.
> I am in other organizations and the URL is also
> https://github.com/organizations/xyz/settings/billing
>
> > Github may have found and stopped this.
>
> It looks like I am the only one configured as billing manager for
> OpenSC. See attached PDF.
> That is NOT a good idea. We should be at least 2 or more in this position.
> I sent an invitation to Frank Morgner.
>
> I think the problem is really with OpenSC use of github.
> Maybe we could delete all the *old* rc releases that are not really useful?
> I don't know exactly what is concerned by "Git LFS Data" for OpenSC projects.
> Maybe OpenSC is too popular and too many people are downloading files? :-)
> Or someone has configured a tool that does too many downloads?
>
> Bye
>
> --
>  Dr. Ludovic Rousseau
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Ludovic R. <lud...@gm...>]

Hello,

Le sam. 24 oct. 2020 à 21:39, Douglas E Engert <dee...@gm...> a écrit :
>
> I get a 404 with these:
> https://github.com/organizations/OpenSC/billing/data/upgrade
> https://github.com/organizations/OpenSC
> https://github.com/organizations
>
>
> But then again, I am not an "Owner" OpenSC, so may not be able to see the above.
>
> BUT
> This could have been a scam if someone created an organization called organizations
> They could then get enough info to produce the email below.

I don't think that is a scam.
I am in other organizations and the URL is also
https://github.com/organizations/xyz/settings/billing

> Github may have found and stopped this.

It looks like I am the only one configured as billing manager for
OpenSC. See attached PDF.
That is NOT a good idea. We should be at least 2 or more in this position.
I sent an invitation to Frank Morgner.

I think the problem is really with OpenSC use of github.
Maybe we could delete all the *old* rc releases that are not really useful?
I don't know exactly what is concerned by "Git LFS Data" for OpenSC projects.
Maybe OpenSC is too popular and too many people are downloading files? :-)
Or someone has configured a tool that does too many downloads?

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Douglas E E. <dee...@gm...>]

https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-billing-and-payments-on-github/upgrading-your-github-subscription

Says: "Only organization members with the owner or billing manager role can access or change billing settings for your organization."

https://docs.github.com/en/free-pro-team@latest/github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-git-large-file-storage

Says: "View details of your bandwidth and storage usage under "Git LFS Data".


If this is a LFS issue, can we reduce how long archival data is kept for nighly builds and PR builds?




On 10/24/2020 2:39 PM, Douglas E Engert wrote:
> I get a 404 with these:
> https://github.com/organizations/OpenSC/billing/data/upgrade
> https://github.com/organizations/OpenSC
> https://github.com/organizations
> 
> 
> But then again, I am not an "Owner" OpenSC, so may not be able to see the above.
> 
> BUT
> This could have been a scam if someone created an organization called organizations
> They could then get enough info to produce the email below.
> 
> Github may have found and stopped this.
> 
> 
> 
> https://github.com/pricing
> 
> Says "FREE"  gets "2,000 Actions minutes/month"
> Says we should get 500MB for the "Free Basics for teams and developers"
> 
> We may have exceeded one of these limits.
> 
> 
> 
> 
> 
> 
> 
> 
> On 10/24/2020 7:19 AM, Ludovic Rousseau wrote:
>> Hello OpenSC people,
>>
>> As one of the OpenSC project github admins I received the email below.
>> I am not sure if we need to do something.
>>
>> I just checked and I am still able to download the
>> opensc-0.21.0-rc1.tar.gz from github.
>> So I don't know what would happen if we do nothing.
>>
>> Bye
>>
>> ---------- Forwarded message ---------
>> De : GitHub <su...@gi...>
>> Date: sam. 24 oct. 2020 à 03:42
>> Subject: [GitHub] At 100% of Git LFS data quota for OpenSC
>> To: OpenSC team <lud...@gm...>
>>
>>
>> You’ve used 100% of your data plan for Git LFS on the organization
>> OpenSC. Please purchase additional data packs to cover your bandwidth
>> and storage usage:
>>
>>    https://github.com/organizations/OpenSC/billing/data/upgrade
>>
>> Current usage as of 24 Oct 2020 01:42AM UTC:
>>
>>    Bandwidth: 1.08 GB / 1 GB (108%)
>>    Storage: 0.58 GB / 1 GB (57%)
>>
>>
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Fwd: [GitHub] At 100% of Git LFS data quota for OpenSC

[Douglas E E. <dee...@gm...>]

I get a 404 with these:
https://github.com/organizations/OpenSC/billing/data/upgrade
https://github.com/organizations/OpenSC
https://github.com/organizations


But then again, I am not an "Owner" OpenSC, so may not be able to see the above.

BUT
This could have been a scam if someone created an organization called organizations
They could then get enough info to produce the email below.

Github may have found and stopped this.



https://github.com/pricing

Says "FREE"  gets "2,000 Actions minutes/month"
Says we should get 500MB for the "Free Basics for teams and developers"

We may have exceeded one of these limits.








On 10/24/2020 7:19 AM, Ludovic Rousseau wrote:
> Hello OpenSC people,
> 
> As one of the OpenSC project github admins I received the email below.
> I am not sure if we need to do something.
> 
> I just checked and I am still able to download the
> opensc-0.21.0-rc1.tar.gz from github.
> So I don't know what would happen if we do nothing.
> 
> Bye
> 
> ---------- Forwarded message ---------
> De : GitHub <su...@gi...>
> Date: sam. 24 oct. 2020 à 03:42
> Subject: [GitHub] At 100% of Git LFS data quota for OpenSC
> To: OpenSC team <lud...@gm...>
> 
> 
> You’ve used 100% of your data plan for Git LFS on the organization
> OpenSC. Please purchase additional data packs to cover your bandwidth
> and storage usage:
> 
>    https://github.com/organizations/OpenSC/billing/data/upgrade
> 
> Current usage as of 24 Oct 2020 01:42AM UTC:
> 
>    Bandwidth: 1.08 GB / 1 GB (108%)
>    Storage: 0.58 GB / 1 GB (57%)
> 
> 

-- 

  Douglas E. Engert  <DEE...@gm...>