On Wed, Jan 08, 2014 at 05:05:51PM -0800, Peter Wemm wrote: > On 1/8/14, 7:00 AM, Mikhail T wrote: > > On 08.01.2014 02:54, Peter Wemm wrote: > >>> > Could we, please, have MD2 resurrected before 10.0 is officially out? > >>> > Preferably in both -lmd and -lcrypto, but certainly in the former. Thank > >>> > you! Yours, > >> The time to bring this up was before the freeze for 10.0, a good 6+ > >> months ago. It is way too late now. > > First of all, Peter, are you talking as a core-member, or expressing > > personal opinion? In any case, I'd say it is not entirely fair to blame me > > for reporting a problem "late" -- without any apologies about causing it in > > the first place... > > > > But is it really "too late" to add such a small piece back to where it was? > > I'm not talking about resurrecting uucp here... Meanwhile, any existing > > MD2-using application will simply break after upgrade -- does that not > > bother anyone? If the code was removed after 19 years in the tree, is 6 > > months really "too late" to resurrect it? > > Personal unless stated otherwise. > > By "too late" I mean the cutoff has already passed for the final RC and > there won't be more unless there's an absolute emergency. > > As for timeliness of the request, here's the original commit: > ------------------------------------------------------------------------ > r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines > > Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd. > > 1. The licensing terms for the MD2 routines from RFC is not under a BSD-like > license. Instead it is only granted for non-commercial Internet > Privacy-Enhanced Mail. > 2. MD2 is quite deprecated as it is no longer considered a cryptographically > strong algorithm. > > Discussed with: so (cperciva), core > ------------------------------------------------------------------------ > > The original feature cutoff schedules were: > > head/ slush: August 24, 2013 > head/ freeze: September 7, 2013 > > 10.0 is already late. The original plan would have had 10.0 released in > November. That's before the first email in this thread - December. > > You can always ask the release engineers for an exception, but given that > the release is already overdue I'd bet money you won't get a positive > reception to a request to a delay for md2. > This is correct. > You could ask obrien to revert his commit for head but I'd bet you won't > get a positive response there. > > >> However.. the code in libmd had had a non-commercial use restriction.. > >> Even if it wasn't too late, that code won't be back. > > That restriction was not (enough of) a problem for 20 years (since 1994) -- > > and still is not in 9.x and 8.x. But, Ok... > >> Your best bet is to create a crypto/libmd2 port. Start with the code > >> from openssl. > > Adding such a port increases the number of hoops for any user to jump > > through -- and the maintenance costs. Whereas the cost of simply adjusting > > the base OpenSSL's configuration to include MD2 functionality is virtually > > zero -- a single additional file file will be back (md2.h), and no new > > libraries... > > The path of least resistance is to make a libmd2 port. It's the only way I > can see you getting to use it on 10.0. > This is also correct. Glen
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:46 UTC