On Tue, Nov 14, 2017 at 11:47 AM, Todd Zullinger <tmz@xxxxxxxxx> wrote: > > Hi Shawn, > > Shawn Landden wrote: >> >> I think this is preferrable to bringing the assembly routines into the git code-base, as a way of getting access to these high-performance routines to a git available in Debian, Ubuntu, or Fedora (which all use BLK_SHA1=1 due to GPLv2 + OpenSSL license considerations, see Debian Bug #879459). > > > While it seems like it could be useful to have the choice of using the fast SHA1 implementation without concern about licensing issues, there's a few details I thought were worth mentioning. > > Fedora moved from OpenSSL SHA1 to BLK_SHA1 to reduce the size of the binaries and dependencies, not due to licensing issues (Fedora considers OpenSSL a system library and allows linking GPLv2 code). > > Fedora now uses the default DC_SHA1 (the collision-detecting SHA1 implementation). DC_SHA1 is not, as far as I know, as fast as the OpenSSL/GnuTLS SHA1, but it's safer given the increasingly successful attacks against SHA1. I don't envision changing that to gain performance. (And, of course, the speed of SHA1 should become less of an issue once git moves to a new, stronger hash.) > > It looks like the Debian packages use the default DC_SHA1 implementation as well. Regardless of the licensing concerns regarding OpenSSL in Debian, I suspect they'll want to use the default, collision-detecting SHA1 implementation. That doesn't mean a patch to add the option of GnuTLS isn't useful though. > > Fedora does link with OpenSSL's libcrypto and libssl in Fedora for the remote-curl helpers and imap-send. I believe the remote-curl helpers just link with curl, which happens to use OpenSSL on Fedora and could use GnuTLS instead. The imap-send command might also use curl and whatever crypto library curl is built with too, but I'm not terribly familiar with imap-send. (I think those are the only uses of libcrypto or libssl in Fedora's packages, but I could be mistaken). > > That's a lot of text without having anything to say about the actual patch. Hopefully it's at least mildly useful to you or others. :) It is all appreciated. I just want to make note that I am still interested in getting this patch in.
