Ticket #130 (closed enhancement: fixed)

Opened 2 years ago

Last modified 2 years ago

New bundled() Provides for libiberty md5.c by Ulrich Drepper

Reported by: jankratochvil Owned by: spot
Priority: minor Milestone:
Component: Bundled Library Exception Version:
Keywords: Cc:
Blocked By: Blocking:

Description

libiberty contains md5.c by Ulrich Drepper. Packaging:No_Bundled_Libraries does not list it.

As suggested in Ticket 109 I should file this new ticket for it.

That md5.c file by Ulrich Drepper is being spread across many packages, as one can see from Google.

There should be something like:

Provides: bundled(md5-Drepper) = libiberty-20120103

Change History

comment:1 Changed 2 years ago by toshio

Looks like that comment comes from the RSA reference implementation. Adding Ulrich to the search does turn up a large number of hits, though: Google so I think this is still valid.

From the comments, I think that this code originates in glibc but, unless I'm mistaken, glibc only provides access to it via the crypt() function which isn't a good API for some applications (It's optimized for hashing passphrases rather than calculating hashes of large streams of data).

I'd recommend all lowercase for the virtual provide to match the other md5.c virtual provides. I can see two possibilities for the name: bundled(md5-drepper) or bundled(md5-glibc). It would be nice to capture the version that this was forked from glibc for the version but that may be lost in the mists of time. I'm not sure about using libiberty in the version -- unless the other copies are copied from libiberty it seems better to use a version string related to glibc.

The rationale for including a version string is so we can identify code that may be using problematic versions of the code when the canonical source updates. With that in mind, we could even specify that a version of "0" be used if a newer, more accurate version is not known. Then, if we find that release 2.11 of glibc fixed a long standing security issue in its md5 implementation we'd know to check all the bundled(md5-glibc) packages with version < 2.11 (and thus include the version 0 virtual provides).

comment:2 Changed 2 years ago by jankratochvil

md5.c is shared in libiberty across binutils/gdb/gcc, its central maintenance is in gcc.

The gcc md5.c version originates from glibc but it is already forked. The two repositories have different patches applied, no longer being synced to each other.

Therefore I find the most appropriate:

Provides: bundled(md5-gcc) = 20120103snap

comment:3 Changed 2 years ago by toshio

bundled(md5-gcc) sounds good to me.

comment:4 Changed 2 years ago by spot

  • Owner set to spot
  • Status changed from new to assigned

comment:5 Changed 2 years ago by spot

  • Status changed from assigned to closed
  • Resolution set to fixed

Announce Text:

Ulrich Drepper's MD5 implementation, as found originally in gcc, was added to the list of MD5 exception cases permitted for bundling exceptions.

https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Packages_granted_exceptions

Note: See TracTickets for help on using tickets.