binaries
118 views
Skip to first unread message
K T
Jul 12, 2018, 1:19:03 PM7/12/18
to certificate-transparency
Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
Pierre Phaneuf
Jul 12, 2018, 2:03:48 PM7/12/18
to certificate-transparency
I don't expect we'll provide pre-compiled binaries, no. We'd recommend
you use CTFE (in the github.com/google/certificate-transparency-go
repository) and Trillian (github.com/google/trillian) to run a
Certificate Transparency log server.
If what you were interested in was something else than the log server,
feel free to ask questions, we'll try to help you as best we can!
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/780d0d36-2aab-4681-9913-2a48d8d40d30%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
you use CTFE (in the github.com/google/certificate-transparency-go
repository) and Trillian (github.com/google/trillian) to run a
Certificate Transparency log server.
If what you were interested in was something else than the log server,
feel free to ask questions, we'll try to help you as best we can!
On Thu, Jul 12, 2018 at 6:19 PM K T <mtayl...@gmail.com> wrote:
>
> Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
>
> --
>
> Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
>
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/780d0d36-2aab-4681-9913-2a48d8d40d30%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
K T
Jul 12, 2018, 5:26:24 PM7/12/18
to certificate-transparency
Running a log server is exactly what I'm interested in.
What's the difference between Trillian + CTFE and certificate-transparency-go, or certificate-transparency for that matter (apart from the obvious, like certificate-transparency is written in C++ and has some experimental components)? Why do you recommend using Trillian + CTFE instead of certificate-transparency?
On Thursday, July 12, 2018 at 11:03:48 AM UTC-7, Pierre Phaneuf wrote:
I don't expect we'll provide pre-compiled binaries, no. We'd recommend
you use CTFE (in the github.com/google/certificate-transparency-go
repository) and Trillian (github.com/google/trillian) to run a
Certificate Transparency log server.
If what you were interested in was something else than the log server,
feel free to ask questions, we'll try to help you as best we can!
On Thu, Jul 12, 2018 at 6:19 PM K T <mtayl...@gmail.com> wrote:
>
> Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
>
> --
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Pierre Phaneuf
Jul 13, 2018, 5:46:19 AM7/13/18
to certificate-transparency
First off, of what is involved in running a CT log server
*successfully* (within the Chromium CT policy), I'm sorry to say that
building the C++ log server is probably one of the easiest steps!
Providing the robust distributed platform it needs to run on (a well
configured etcd setup on 3 to 5 machines, for example), having
sufficient monitoring and alerting to be notified of any problem
before they become serious, and having someone able to react quickly
to those alerts at all time (the maximum merge delay is 24 hours, and
the allowed unavailability is 21.7 hours in a 90 days period, so if
there's a problem on a Saturday morning, you can't wait until the
Monday to fix it), that's requires a non-trivial expertise, probably
spread across a team rather than an individual...
The C++ log server implementation (in certificate-transparency) keeps
its Merkle tree in memory, which means two things: before it can
handle requests, it has to load all the leaf hashes, which adds a
significant startup delay (some log operators have seen startup time
upwards of an hour), and also, that there's upper limits on the number
of entries a log server can handle, related to the memory usage.
Trillian provides a storage-based general (based on blobs rather than
X.509 and such structures) Merkle tree platform that is much more
scalable. A given request might have higher latency, due to having to
perform lookups into the storage system, but fairly constant, and in
exchange, the startup time is constant, and the number of entries a
log server can contain is vastly higher (based on available disk
storage rather than memory).
CTFE (which is in the certificate-transparency-go repository) then
simply implements the CT API on top of Trillian.
Also, while the "classic" Google CT logs (such as Rocketeer, Pilot,
Icarus, etc) are written in C++, they share very little code with the
open source C++ log server (the low level Merkle tree code, and some
serialisation code), but the newer Google CT logs (such as the Argon
and Xenon logs) are Trillian based to a much greater degree, sharing
something like 80% of the code with the open source version (there are
some interfaces for storage and a few other things that we use
different implementations of, for example).
In addition to the C++ implementation having those limits on
scalability (and in part because of it), we are also not working on it
much at all, mainly focusing our efforts on Trillian and CTFE. Since
we are using Trillian+CTFE ourselves, we are a lot more invested in
its maintenance!
For these reasons, we'd recommend Trillian+CTFE over the C++ log
server at this point.
> To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/143ac5a3-e132-49ae-a5ba-d8c72dc9cd62%40googlegroups.com.
*successfully* (within the Chromium CT policy), I'm sorry to say that
building the C++ log server is probably one of the easiest steps!
Providing the robust distributed platform it needs to run on (a well
configured etcd setup on 3 to 5 machines, for example), having
sufficient monitoring and alerting to be notified of any problem
before they become serious, and having someone able to react quickly
to those alerts at all time (the maximum merge delay is 24 hours, and
the allowed unavailability is 21.7 hours in a 90 days period, so if
there's a problem on a Saturday morning, you can't wait until the
Monday to fix it), that's requires a non-trivial expertise, probably
spread across a team rather than an individual...
The C++ log server implementation (in certificate-transparency) keeps
its Merkle tree in memory, which means two things: before it can
handle requests, it has to load all the leaf hashes, which adds a
significant startup delay (some log operators have seen startup time
upwards of an hour), and also, that there's upper limits on the number
of entries a log server can handle, related to the memory usage.
Trillian provides a storage-based general (based on blobs rather than
X.509 and such structures) Merkle tree platform that is much more
scalable. A given request might have higher latency, due to having to
perform lookups into the storage system, but fairly constant, and in
exchange, the startup time is constant, and the number of entries a
log server can contain is vastly higher (based on available disk
storage rather than memory).
CTFE (which is in the certificate-transparency-go repository) then
simply implements the CT API on top of Trillian.
Also, while the "classic" Google CT logs (such as Rocketeer, Pilot,
Icarus, etc) are written in C++, they share very little code with the
open source C++ log server (the low level Merkle tree code, and some
serialisation code), but the newer Google CT logs (such as the Argon
and Xenon logs) are Trillian based to a much greater degree, sharing
something like 80% of the code with the open source version (there are
some interfaces for storage and a few other things that we use
different implementations of, for example).
In addition to the C++ implementation having those limits on
scalability (and in part because of it), we are also not working on it
much at all, mainly focusing our efforts on Trillian and CTFE. Since
we are using Trillian+CTFE ourselves, we are a lot more invested in
its maintenance!
For these reasons, we'd recommend Trillian+CTFE over the C++ log
server at this point.
On Thu, Jul 12, 2018 at 10:26 PM K T <mtayl...@gmail.com> wrote:
>
> Running a log server is exactly what I'm interested in.
>
> What's the difference between Trillian + CTFE and certificate-transparency-go, or certificate-transparency for that matter (apart from the obvious, like certificate-transparency is written in C++ and has some experimental components)? Why do you recommend using Trillian + CTFE instead of certificate-transparency?
>
>
>
> On Thursday, July 12, 2018 at 11:03:48 AM UTC-7, Pierre Phaneuf wrote:
>>
>> I don't expect we'll provide pre-compiled binaries, no. We'd recommend
>> you use CTFE (in the github.com/google/certificate-transparency-go
>> repository) and Trillian (github.com/google/trillian) to run a
>> Certificate Transparency log server.
>>
>> If what you were interested in was something else than the log server,
>> feel free to ask questions, we'll try to help you as best we can!
>> On Thu, Jul 12, 2018 at 6:19 PM K T <mtayl...@gmail.com> wrote:
>> >
>> > Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
>
> Running a log server is exactly what I'm interested in.
>
> What's the difference between Trillian + CTFE and certificate-transparency-go, or certificate-transparency for that matter (apart from the obvious, like certificate-transparency is written in C++ and has some experimental components)? Why do you recommend using Trillian + CTFE instead of certificate-transparency?
>
>
>
> On Thursday, July 12, 2018 at 11:03:48 AM UTC-7, Pierre Phaneuf wrote:
>>
>> I don't expect we'll provide pre-compiled binaries, no. We'd recommend
>> you use CTFE (in the github.com/google/certificate-transparency-go
>> repository) and Trillian (github.com/google/trillian) to run a
>> Certificate Transparency log server.
>>
>> If what you were interested in was something else than the log server,
>> feel free to ask questions, we'll try to help you as best we can!
>> On Thu, Jul 12, 2018 at 6:19 PM K T <mtayl...@gmail.com> wrote:
>> >
>> > Any chance you guys are thinking of offering downloadable pre-compiled binaries of certificate-transparency? My attempts to build it have been a complete disaster. There are many necessary details missing from the build section of the README that I have had to spend hours chasing down.
>> >
>> > --
>> > You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/780d0d36-2aab-4681-9913-2a48d8d40d30%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/143ac5a3-e132-49ae-a5ba-d8c72dc9cd62%40googlegroups.com.
K T
Jul 13, 2018, 1:06:31 PM7/13/18
to certificate-transparency
Ahhh, got it, thank you!!
>> > To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/certificate-transparency/780d0d36-2aab-4681-9913-2a48d8d40d30%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Ian Foster
Aug 27, 2018, 6:00:27 PM8/27/18
to certificate-transparency
I had the same desire a while ago when I wanted to run a local certificate-transparency server for testing. I ended up making my own docker images which are available here https://github.com/lanrat/docker-certificate-transparency with some example configurations. Its all hacky and not prod ready, but should be useful if anyone else wants to quickly get the C++ server running without worrying about compilation.
Reply all
Reply to author
Forward
0 new messages