Thank you for your comment, Stephen. I understand. OK, altough I will wait for the FPC's comment, I try to use and test SHA1 which is included in Open SSL. > target system, I'd personally prefer to see this package linked > against openssl, mozilla-nss or gnutls. Yes, I agree with you. Kenjiro Kenjiro Nakayama <knakayam@xxxxxxxxxx> GPG Key fingerprint = ED8F 049D E67A 727D 9A44 8E25 F44B E208 C946 5EB9 Red Hat K.K. Ebisu Neonato 8F, 1-18 Ebisu 4-chome, Shibuya-ku, Tokyo, Japan 150-0013 ----- 元のメッセージ ----- 差出人: "Stephen Gallagher" <sgallagh@xxxxxxxxxx> 宛先: "Discussion of RPM packaging standards and practices for Fedora" <packaging@xxxxxxxxxxxxxxxxxxxxxxx> 送信済み: 2014年3月25日, 火曜日 午後 9:18:08 件名: Re: No responce to new ticket #407 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/24/2014 10:14 PM, Kenjiro Nakayama wrote: > Hi, > > Although I have created new ticket[1], I get no response yet. Can > anyone take a look, or how long should I wait? > > [1] https://fedorahosted.org/fpc/ticket/407 > I'm not speaking for the FPC (I'm not a member), but in general, it's preferred to modify the package to consume one of the approved crypto libraries if at all possible. It's very dangerous to allow bundled crypto implementations in the system because there are no guarantees that flaws will be fixed in a timely manner. Looking at the package you're trying to add, my guess is that is needs the SHA1 implementation for use in a checksumming/validation routine for apt. Given the possibility that a flaw in the SHA1 implementation *could* conceivably mean being able to sneak arbitrary packages onto a target system, I'd personally prefer to see this package linked against openssl, mozilla-nss or gnutls. My (perhaps incorrect) understanding about the MD5 exception is that it exists pretty much only because 1) MD5 is a very simple algorithm, 2) MD5 is no longer used for anything sensitive because the algorithm is known to have been broken and 3) MD5 bundling was so ubiquitous that it became clear that efforts to separate it were more effort than they were worth. None of those three conditions is true about SHA1; it's a very complicated, security-sensitive algorithm that historically has not been reimplemented in many places because linking to existing crypto libraries has usually been easier than rewriting it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMxdAAACgkQeiVVYja6o6M6FQCgrtK6B8ybjO7bp28YjEDI+66W F+MAoIWSHvCYSdncqfflixkauxgBBtrd =8I/f -----END PGP SIGNATURE----- -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
