Date: Wed, 8 Jan 2014 20:10:46 -0500 From: Glen Barber <gjb@FreeBSD.org> To: Peter Wemm <peter@wemm.org> Cc: olli hauer <ohauer@gmx.de>, Current FreeBSD <freebsd-current@freebsd.org>, Mikhail T <mi+apache@aldan.algebra.com> Subject: Re: md2 on current and 10. Message-ID: <20140109011046.GJ64543@glenbarber.us> In-Reply-To: <52CDF5EF.407@wemm.org> References: <52B392D9.4030507@aldan.algebra.com> <52B483D7.7080302@gmx.de> <52B486AD.7080102@aldan.algebra.com> <52B48E8C.5070804@gmx.de> <52BB2979.5040008@aldan.algebra.com> <CAGE5yCq=JEG40Ljtx0bfB5nSPCet-=PEzZdA7mfCw0DvMb4ttg@mail.gmail.com> <52CD6808.1080307@aldan.algebra.com> <52CDF5EF.407@wemm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--2fEWJT3hVM9yyfvd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 08, 2014 at 05:05:51PM -0800, Peter Wemm wrote: > On 1/8/14, 7:00 AM, Mikhail T wrote: > > On 08.01.2014 02:54, Peter Wemm wrote: > >>> > Could we, please, have MD2 resurrected before 10.0 is officially ou= t? > >>> > Preferably in both -lmd and -lcrypto, but certainly in the former. = Thank > >>> > you! Yours, > >> The time to bring this up was before the freeze for 10.0, a good 6+ > >> months ago. It is way too late now. > > First of all, Peter, are you talking as a core-member, or expressing > > personal opinion? In any case, I'd say it is not entirely fair to blame= me > > for reporting a problem "late" -- without any apologies about causing i= t in > > the first place... > >=20 > > But is it really "too late" to add such a small piece back to where it = was? > > I'm not talking about resurrecting uucp here... Meanwhile, any existing > > MD2-using application will simply break after upgrade -- does that not > > bother anyone? If the code was removed after 19 years in the tree, is 6 > > months really "too late" to resurrect it? >=20 > Personal unless stated otherwise. >=20 > By "too late" I mean the cutoff has already passed for the final RC and > there won't be more unless there's an absolute emergency. >=20 > As for timeliness of the request, here's the original commit: > ------------------------------------------------------------------------ > r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines >=20 > Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd. >=20 > 1. The licensing terms for the MD2 routines from RFC is not under a BSD-l= ike > license. Instead it is only granted for non-commercial Internet > Privacy-Enhanced Mail. > 2. MD2 is quite deprecated as it is no longer considered a cryptographica= lly > strong algorithm. >=20 > Discussed with: so (cperciva), core > ------------------------------------------------------------------------ >=20 > The original feature cutoff schedules were: >=20 > head/ slush: August 24, 2013 > head/ freeze: September 7, 2013 >=20 > 10.0 is already late. The original plan would have had 10.0 released in > November. That's before the first email in this thread - December. >=20 > You can always ask the release engineers for an exception, but given that > the release is already overdue I'd bet money you won't get a positive > reception to a request to a delay for md2. >=20 This is correct. > You could ask obrien to revert his commit for head but I'd bet you won't > get a positive response there. >=20 > >> However.. the code in libmd had had a non-commercial use restriction.. > >> Even if it wasn't too late, that code won't be back. > > That restriction was not (enough of) a problem for 20 years (since 1994= ) -- > > and still is not in 9.x and 8.x. But, Ok... > >> Your best bet is to create a crypto/libmd2 port. Start with the code > >> from openssl. > > Adding such a port increases the number of hoops for any user to jump > > through -- and the maintenance costs. Whereas the cost of simply adjust= ing > > the base OpenSSL's configuration to include MD2 functionality is virtua= lly > > zero -- a single additional file file will be back (md2.h), and no new > > libraries... >=20 > The path of least resistance is to make a libmd2 port. It's the only way= I > can see you getting to use it on 10.0. >=20 This is also correct. Glen --2fEWJT3hVM9yyfvd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCAAGBQJSzfcWAAoJELls3eqvi17Qrq8P/jBaQgdtf0IWkaCIfTx/wRjV WreNWTL/iFuKQJ1Pb/nXLF77GlUHxl1GTwWK5E+FQ1X8qIhMePbHrpc+45GWvJ0g 9awRbpMxMIZYXm/mdTowK5WQyVFTLlqBltcsDxuVFtZhAynAzxhMy0xp04nZ0Sw2 Op7vp9kq047aYxkH83fuTNzV+dKV9LSLGLu9iu4ZV0V9+c4d9noliGXaLI8KSKWg 1QuVzYcInkp1UqxbvN9x7A90Kcg+vZSlXaNCgOkhInrc6b1A6ObJG61WFEHUIP9r MPTVVLQb2Wdt6x5YuvPZY08iZil6d7rbk64gGpS80/SzwvE+64ITEW7e2HY62DQH HxyHeFlP9elQpIi4AbRIVoYbWUhAW2hXJ85utEHBZQQdvCEV83NahIor7gLUKb1P v+G86Hqt/MPnTSlAxoACKqq3YCgqC87cN7vrZO3rC0HvkZxfzxkQArlavmXPo9GC npAx1DLcfrUc3xYXax07mNXAwgl5FIcQL/4WLXTnq5vocl/E4zn9XWnmEp/9PS82 R9x7qWVPHd6IodlZB600CXWS9WxGAuyyS7eVL6+FRtOdL7W8yHSlYP2Rj5X2f/UA UUQSBOq5ih08RSxJqIKrz1BTAUwtmv/A0sX4I35ZSrxSKOTephtckjVM/dRURLt5 zqdX8DHPjiPBBci6BNmH =g3VQ -----END PGP SIGNATURE----- --2fEWJT3hVM9yyfvd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140109011046.GJ64543>