On Tue, Mar 25, 2014 at 08:18:08AM -0400, Stephen Gallagher wrote:
First, historical notes:
My (perhaps incorrect) understanding about the MD5 exception is that
it exists pretty much only because 1) MD5 is a very simple algorithm,
2) MD5 is no longer used for anything sensitive because the algorithm
is known to have been broken and
Neither of these two was a consideration :-(
3) MD5 bundling was so ubiquitous
that it became clear that efforts to separate it were more effort than
they were worth.
this is probably the closest to the rationale we currently have. The
bundling guidelines do allow FPC to ban bundling of items due to security
concerns but in practice we want to accomodate people who want to get their
software in so we are constantly trying to find reasons to justify being
more lenient rather than being stricter.
on the basis of precedent we probably wouldn't keep bundling of a sha1
implementation out of Fedora unless there was a library that implemented
that API already available. If you do a web search for the copyright
holders of this implementation and sha1 you'll find that the code is being
used in several different modified forms in a variety of projects but not as
a standalone library :-(
If there was a library that made just sha1 (or even just hashes) available
we might consider it -- I know when we've discussed md5 before we've
lamented the fact that there's no libmd5 that was lightweight, had a simple
API, and in Fedora, that we could tell people to look into using instead.
But due to the lack of such a library we've never had to set precedent on
whether to force maintainers to do that port instead of bundling.
OTOH, if a package maintainer wants to perform such a port, we certainly
won't object :-)