[Fedora-packaging] No responce to new ticket #407

[Stephen Gallagher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2014 10:14 PM, Kenjiro Nakayama wrote:
> Hi,
> 
> Although I have created new ticket[1], I get no response yet. Can
> anyone take a look, or how long should I wait?
> 
> [1] https://fedorahosted.org/fpc/ticket/407
> 

I'm not speaking for the FPC (I'm not a member), but in general, it's
preferred to modify the package to consume one of the approved crypto
libraries if at all possible. It's very dangerous to allow bundled
crypto implementations in the system because there are no guarantees
that flaws will be fixed in a timely manner.

Looking at the package you're trying to add, my guess is that is needs
the SHA1 implementation for use in a checksumming/validation routine
for apt. Given the possibility that a flaw in the SHA1 implementation
*could* conceivably mean being able to sneak arbitrary packages onto a
target system, I'd personally prefer to see this package linked
against openssl, mozilla-nss or gnutls.

My (perhaps incorrect) understanding about the MD5 exception is that
it exists pretty much only because 1) MD5 is a very simple algorithm,
2) MD5 is no longer used for anything sensitive because the algorithm
is known to have been broken and 3) MD5 bundling was so ubiquitous
that it became clear that efforts to separate it were more effort than
they were worth.

None of those three conditions is true about SHA1; it's a very
complicated, security-sensitive algorithm that historically has not
been reimplemented in many places because linking to existing crypto
libraries has usually been easier than rewriting it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMxdAAACgkQeiVVYja6o6M6FQCgrtK6B8ybjO7bp28YjEDI+66W
F+MAoIWSHvCYSdncqfflixkauxgBBtrd
=8I/f
-----END PGP SIGNATURE-----