On Tue, Mar 25, 2014 at 08:18:08AM -0400, Stephen Gallagher wrote: First, historical notes: > > My (perhaps incorrect) understanding about the MD5 exception is that > it exists pretty much only because 1) MD5 is a very simple algorithm, > 2) MD5 is no longer used for anything sensitive because the algorithm > is known to have been broken and > Neither of these two was a consideration :-( > 3) MD5 bundling was so ubiquitous > that it became clear that efforts to separate it were more effort than > they were worth. > this is probably the closest to the rationale we currently have. The bundling guidelines do allow FPC to ban bundling of items due to security concerns but in practice we want to accomodate people who want to get their software in so we are constantly trying to find reasons to justify being more lenient rather than being stricter. on the basis of precedent we probably wouldn't keep bundling of a sha1 implementation out of Fedora unless there was a library that implemented that API already available. If you do a web search for the copyright holders of this implementation and sha1 you'll find that the code is being used in several different modified forms in a variety of projects but not as a standalone library :-( If there was a library that made just sha1 (or even just hashes) available we might consider it -- I know when we've discussed md5 before we've lamented the fact that there's no libmd5 that was lightweight, had a simple API, and in Fedora, that we could tell people to look into using instead. But due to the lack of such a library we've never had to set precedent on whether to force maintainers to do that port instead of bundling. OTOH, if a package maintainer wants to perform such a port, we certainly won't object :-) -Toshio
Attachment:
pgpSdHzYJji2Q.pgp
Description: PGP signature
-- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging