On 1/8/14, 7:00 AM, Mikhail T wrote: > On 08.01.2014 02:54, Peter Wemm wrote: >>> > Could we, please, have MD2 resurrected before 10.0 is officially out? >>> > Preferably in both -lmd and -lcrypto, but certainly in the former. Thank >>> > you! Yours, >> The time to bring this up was before the freeze for 10.0, a good 6+ >> months ago. It is way too late now. > First of all, Peter, are you talking as a core-member, or expressing > personal opinion? In any case, I'd say it is not entirely fair to blame me > for reporting a problem "late" -- without any apologies about causing it in > the first place... > > But is it really "too late" to add such a small piece back to where it was? > I'm not talking about resurrecting uucp here... Meanwhile, any existing > MD2-using application will simply break after upgrade -- does that not > bother anyone? If the code was removed after 19 years in the tree, is 6 > months really "too late" to resurrect it? Personal unless stated otherwise. By "too late" I mean the cutoff has already passed for the final RC and there won't be more unless there's an absolute emergency. As for timeliness of the request, here's the original commit: ------------------------------------------------------------------------ r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd. 1. The licensing terms for the MD2 routines from RFC is not under a BSD-like license. Instead it is only granted for non-commercial Internet Privacy-Enhanced Mail. 2. MD2 is quite deprecated as it is no longer considered a cryptographically strong algorithm. Discussed with: so (cperciva), core ------------------------------------------------------------------------ The original feature cutoff schedules were: head/ slush: August 24, 2013 head/ freeze: September 7, 2013 10.0 is already late. The original plan would have had 10.0 released in November. That's before the first email in this thread - December. You can always ask the release engineers for an exception, but given that the release is already overdue I'd bet money you won't get a positive reception to a request to a delay for md2. You could ask obrien to revert his commit for head but I'd bet you won't get a positive response there. >> However.. the code in libmd had had a non-commercial use restriction.. >> Even if it wasn't too late, that code won't be back. > That restriction was not (enough of) a problem for 20 years (since 1994) -- > and still is not in 9.x and 8.x. But, Ok... >> Your best bet is to create a crypto/libmd2 port. Start with the code >> from openssl. > Adding such a port increases the number of hoops for any user to jump > through -- and the maintenance costs. Whereas the cost of simply adjusting > the base OpenSSL's configuration to include MD2 functionality is virtually > zero -- a single additional file file will be back (md2.h), and no new > libraries... The path of least resistance is to make a libmd2 port. It's the only way I can see you getting to use it on 10.0. -- Peter Wemm - peter_at_wemm.org; peter_at_FreeBSD.org; peter_at_yahoo-inc.com; KI6FJV UTF-8: for when a ' just won\342\200\231t do.Received on Thu Jan 09 2014 - 00:05:53 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:46 UTC