[Fedora-packaging] No responce to new ticket #407

Kenjiro Nakayama knakayam at redhat.com
Tue Mar 25 13:14:43 UTC 2014 

Thank you for your comment, Stephen.

I understand.

OK, altough I will wait for the FPC's comment, I try to use and test SHA1
which is included in Open SSL.

> target system, I'd personally prefer to see this package linked
> against openssl, mozilla-nss or gnutls.

Yes, I agree with you. 

Kenjiro

Kenjiro Nakayama <knakayam at redhat.com>
GPG Key fingerprint = ED8F 049D E67A 727D 9A44  8E25 F44B E208 C946 5EB9
Red Hat K.K.
Ebisu Neonato 8F, 1-18 Ebisu 4-chome,
Shibuya-ku, Tokyo, Japan 150-0013

----- 元のメッセージ -----
差出人: "Stephen Gallagher" <sgallagh at redhat.com>
宛先: "Discussion of RPM packaging standards and practices for Fedora" <packaging at lists.fedoraproject.org>
送信済み: 2014年3月25日, 火曜日 午後 9:18:08
件名: Re: [Fedora-packaging] No responce to new ticket #407

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/24/2014 10:14 PM, Kenjiro Nakayama wrote:
> Hi,
> 
> Although I have created new ticket[1], I get no response yet. Can
> anyone take a look, or how long should I wait?
> 
> [1] https://fedorahosted.org/fpc/ticket/407
> 

I'm not speaking for the FPC (I'm not a member), but in general, it's
preferred to modify the package to consume one of the approved crypto
libraries if at all possible. It's very dangerous to allow bundled
crypto implementations in the system because there are no guarantees
that flaws will be fixed in a timely manner.

Looking at the package you're trying to add, my guess is that is needs
the SHA1 implementation for use in a checksumming/validation routine
for apt. Given the possibility that a flaw in the SHA1 implementation
*could* conceivably mean being able to sneak arbitrary packages onto a
target system, I'd personally prefer to see this package linked
against openssl, mozilla-nss or gnutls.

My (perhaps incorrect) understanding about the MD5 exception is that
it exists pretty much only because 1) MD5 is a very simple algorithm,
2) MD5 is no longer used for anything sensitive because the algorithm
is known to have been broken and 3) MD5 bundling was so ubiquitous
that it became clear that efforts to separate it were more effort than
they were worth.

None of those three conditions is true about SHA1; it's a very
complicated, security-sensitive algorithm that historically has not
been reimplemented in many places because linking to existing crypto
libraries has usually been easier than rewriting it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMxdAAACgkQeiVVYja6o6M6FQCgrtK6B8ybjO7bp28YjEDI+66W
F+MAoIWSHvCYSdncqfflixkauxgBBtrd
=8I/f
-----END PGP SIGNATURE-----
--
packaging mailing list
packaging at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/packaging

More information about the packaging mailing list