From owner-freebsd-current@FreeBSD.ORG Thu Jan 9 01:10:52 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A2E1A600; Thu, 9 Jan 2014 01:10:52 +0000 (UTC) Received: from mail0.glenbarber.us (mail0.glenbarber.us [IPv6:2607:fc50:1:2300:1001:1001:1001:face]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 728701498; Thu, 9 Jan 2014 01:10:52 +0000 (UTC) Received: from glenbarber.us (c-71-224-221-174.hsd1.nj.comcast.net [71.224.221.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: gjb) by mail0.glenbarber.us (Postfix) with ESMTPSA id 90C91CD26; Thu, 9 Jan 2014 01:10:49 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 mail0.glenbarber.us 90C91CD26 Authentication-Results: mail0.glenbarber.us; dkim=none reason="no signature"; dkim-adsp=none Date: Wed, 8 Jan 2014 20:10:46 -0500 From: Glen Barber To: Peter Wemm Subject: Re: md2 on current and 10. Message-ID: <20140109011046.GJ64543@glenbarber.us> References: <52B392D9.4030507@aldan.algebra.com> <52B483D7.7080302@gmx.de> <52B486AD.7080102@aldan.algebra.com> <52B48E8C.5070804@gmx.de> <52BB2979.5040008@aldan.algebra.com> <52CD6808.1080307@aldan.algebra.com> <52CDF5EF.407@wemm.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2fEWJT3hVM9yyfvd" Content-Disposition: inline In-Reply-To: <52CDF5EF.407@wemm.org> X-Operating-System: FreeBSD 11.0-CURRENT amd64 User-Agent: Mutt/1.5.22 (2013-10-16) Cc: olli hauer , Current FreeBSD , Mikhail T X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jan 2014 01:10:52 -0000 --2fEWJT3hVM9yyfvd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 08, 2014 at 05:05:51PM -0800, Peter Wemm wrote: > On 1/8/14, 7:00 AM, Mikhail T wrote: > > On 08.01.2014 02:54, Peter Wemm wrote: > >>> > Could we, please, have MD2 resurrected before 10.0 is officially ou= t? > >>> > Preferably in both -lmd and -lcrypto, but certainly in the former. = Thank > >>> > you! Yours, > >> The time to bring this up was before the freeze for 10.0, a good 6+ > >> months ago. It is way too late now. > > First of all, Peter, are you talking as a core-member, or expressing > > personal opinion? In any case, I'd say it is not entirely fair to blame= me > > for reporting a problem "late" -- without any apologies about causing i= t in > > the first place... > >=20 > > But is it really "too late" to add such a small piece back to where it = was? > > I'm not talking about resurrecting uucp here... Meanwhile, any existing > > MD2-using application will simply break after upgrade -- does that not > > bother anyone? If the code was removed after 19 years in the tree, is 6 > > months really "too late" to resurrect it? >=20 > Personal unless stated otherwise. >=20 > By "too late" I mean the cutoff has already passed for the final RC and > there won't be more unless there's an absolute emergency. >=20 > As for timeliness of the request, here's the original commit: > ------------------------------------------------------------------------ > r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines >=20 > Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd. >=20 > 1. The licensing terms for the MD2 routines from RFC is not under a BSD-l= ike > license. Instead it is only granted for non-commercial Internet > Privacy-Enhanced Mail. > 2. MD2 is quite deprecated as it is no longer considered a cryptographica= lly > strong algorithm. >=20 > Discussed with: so (cperciva), core > ------------------------------------------------------------------------ >=20 > The original feature cutoff schedules were: >=20 > head/ slush: August 24, 2013 > head/ freeze: September 7, 2013 >=20 > 10.0 is already late. The original plan would have had 10.0 released in > November. That's before the first email in this thread - December. >=20 > You can always ask the release engineers for an exception, but given that > the release is already overdue I'd bet money you won't get a positive > reception to a request to a delay for md2. >=20 This is correct. > You could ask obrien to revert his commit for head but I'd bet you won't > get a positive response there. >=20 > >> However.. the code in libmd had had a non-commercial use restriction.. > >> Even if it wasn't too late, that code won't be back. > > That restriction was not (enough of) a problem for 20 years (since 1994= ) -- > > and still is not in 9.x and 8.x. But, Ok... > >> Your best bet is to create a crypto/libmd2 port. Start with the code > >> from openssl. > > Adding such a port increases the number of hoops for any user to jump > > through -- and the maintenance costs. Whereas the cost of simply adjust= ing > > the base OpenSSL's configuration to include MD2 functionality is virtua= lly > > zero -- a single additional file file will be back (md2.h), and no new > > libraries... >=20 > The path of least resistance is to make a libmd2 port. It's the only way= I > can see you getting to use it on 10.0. >=20 This is also correct. Glen --2fEWJT3hVM9yyfvd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCAAGBQJSzfcWAAoJELls3eqvi17Qrq8P/jBaQgdtf0IWkaCIfTx/wRjV WreNWTL/iFuKQJ1Pb/nXLF77GlUHxl1GTwWK5E+FQ1X8qIhMePbHrpc+45GWvJ0g 9awRbpMxMIZYXm/mdTowK5WQyVFTLlqBltcsDxuVFtZhAynAzxhMy0xp04nZ0Sw2 Op7vp9kq047aYxkH83fuTNzV+dKV9LSLGLu9iu4ZV0V9+c4d9noliGXaLI8KSKWg 1QuVzYcInkp1UqxbvN9x7A90Kcg+vZSlXaNCgOkhInrc6b1A6ObJG61WFEHUIP9r MPTVVLQb2Wdt6x5YuvPZY08iZil6d7rbk64gGpS80/SzwvE+64ITEW7e2HY62DQH HxyHeFlP9elQpIi4AbRIVoYbWUhAW2hXJ85utEHBZQQdvCEV83NahIor7gLUKb1P v+G86Hqt/MPnTSlAxoACKqq3YCgqC87cN7vrZO3rC0HvkZxfzxkQArlavmXPo9GC npAx1DLcfrUc3xYXax07mNXAwgl5FIcQL/4WLXTnq5vocl/E4zn9XWnmEp/9PS82 R9x7qWVPHd6IodlZB600CXWS9WxGAuyyS7eVL6+FRtOdL7W8yHSlYP2Rj5X2f/UA UUQSBOq5ih08RSxJqIKrz1BTAUwtmv/A0sX4I35ZSrxSKOTephtckjVM/dRURLt5 zqdX8DHPjiPBBci6BNmH =g3VQ -----END PGP SIGNATURE----- --2fEWJT3hVM9yyfvd--