[Rpm-maint] [rpm-software-management/rpm] check that libcrypto supports MD2 (#453)
Jeff Johnson
notifications at github.com
Mon Jun 25 15:11:28 UTC 2018
OpenSSL requires MD2 because BeeCrypt in RPM unconditionally supplied MD2, feature parity.
BeeCrypt implemented MD2 because -- at the time -- MD2 was still used but already known broken, legacy (and standard) compatibility.
RPM implemented MD2 because it was there, feature completeness.
The modern practice of optional features tied to exposed library symbols that are not enabled because of "security reasons" forces not only extraneous configure options, but also complicated library versioning and packaging dependencies.
The best approach IMHO would be run-time, not build time, detection of MD2. This is perhaps doable with weak symbols or vectors to stub-in missing symbols that OpenSSL has removed.
One can alternatively carry around configure detection and conditional compilation. But that also forces rpm to track with the ever evolving OpenSSL API, most of which rpm does not (and will not ever) need.
Simplest of all would be to rip out MD2 everywhere in RPM.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/453#issuecomment-399986673
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20180625/d2aafaaa/attachment.html>
More information about the Rpm-maint
mailing list