md2 on current and 10.
Glen Barber
gjb at FreeBSD.org
Thu Jan 9 01:10:52 UTC 2014
On Wed, Jan 08, 2014 at 05:05:51PM -0800, Peter Wemm wrote:
> On 1/8/14, 7:00 AM, Mikhail T wrote:
> > On 08.01.2014 02:54, Peter Wemm wrote:
> >>> > Could we, please, have MD2 resurrected before 10.0 is officially out?
> >>> > Preferably in both -lmd and -lcrypto, but certainly in the former. Thank
> >>> > you! Yours,
> >> The time to bring this up was before the freeze for 10.0, a good 6+
> >> months ago. It is way too late now.
> > First of all, Peter, are you talking as a core-member, or expressing
> > personal opinion? In any case, I'd say it is not entirely fair to blame me
> > for reporting a problem "late" -- without any apologies about causing it in
> > the first place...
> >
> > But is it really "too late" to add such a small piece back to where it was?
> > I'm not talking about resurrecting uucp here... Meanwhile, any existing
> > MD2-using application will simply break after upgrade -- does that not
> > bother anyone? If the code was removed after 19 years in the tree, is 6
> > months really "too late" to resurrect it?
>
> Personal unless stated otherwise.
>
> By "too late" I mean the cutoff has already passed for the final RC and
> there won't be more unless there's an absolute emergency.
>
> As for timeliness of the request, here's the original commit:
> ------------------------------------------------------------------------
> r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines
>
> Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd.
>
> 1. The licensing terms for the MD2 routines from RFC is not under a BSD-like
> license. Instead it is only granted for non-commercial Internet
> Privacy-Enhanced Mail.
> 2. MD2 is quite deprecated as it is no longer considered a cryptographically
> strong algorithm.
>
> Discussed with: so (cperciva), core
> ------------------------------------------------------------------------
>
> The original feature cutoff schedules were:
>
> head/ slush: August 24, 2013
> head/ freeze: September 7, 2013
>
> 10.0 is already late. The original plan would have had 10.0 released in
> November. That's before the first email in this thread - December.
>
> You can always ask the release engineers for an exception, but given that
> the release is already overdue I'd bet money you won't get a positive
> reception to a request to a delay for md2.
>
This is correct.
> You could ask obrien to revert his commit for head but I'd bet you won't
> get a positive response there.
>
> >> However.. the code in libmd had had a non-commercial use restriction..
> >> Even if it wasn't too late, that code won't be back.
> > That restriction was not (enough of) a problem for 20 years (since 1994) --
> > and still is not in 9.x and 8.x. But, Ok...
> >> Your best bet is to create a crypto/libmd2 port. Start with the code
> >> from openssl.
> > Adding such a port increases the number of hoops for any user to jump
> > through -- and the maintenance costs. Whereas the cost of simply adjusting
> > the base OpenSSL's configuration to include MD2 functionality is virtually
> > zero -- a single additional file file will be back (md2.h), and no new
> > libraries...
>
> The path of least resistance is to make a libmd2 port. It's the only way I
> can see you getting to use it on 10.0.
>
This is also correct.
Glen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 834 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140108/1fa4d158/attachment-0001.sig>
More information about the freebsd-current
mailing list