md2 on current and 10.

Peter Wemm peter at wemm.org
Thu Jan 9 01:05:54 UTC 2014


On 1/8/14, 7:00 AM, Mikhail T wrote:
> On 08.01.2014 02:54, Peter Wemm wrote:
>>> > Could we, please, have MD2 resurrected before 10.0 is officially out?
>>> > Preferably in both -lmd and -lcrypto, but certainly in the former. Thank
>>> > you! Yours,
>> The time to bring this up was before the freeze for 10.0, a good 6+
>> months ago. It is way too late now.
> First of all, Peter, are you talking as a core-member, or expressing
> personal opinion? In any case, I'd say it is not entirely fair to blame me
> for reporting a problem "late" -- without any apologies about causing it in
> the first place...
> 
> But is it really "too late" to add such a small piece back to where it was?
> I'm not talking about resurrecting uucp here... Meanwhile, any existing
> MD2-using application will simply break after upgrade -- does that not
> bother anyone? If the code was removed after 19 years in the tree, is 6
> months really "too late" to resurrect it?

Personal unless stated otherwise.

By "too late" I mean the cutoff has already passed for the final RC and
there won't be more unless there's an absolute emergency.

As for timeliness of the request, here's the original commit:
------------------------------------------------------------------------
r234746 | obrien | 2012-04-27 19:48:51 -0700 (Fri, 27 Apr 2012) | 10 lines

Remove the RFC 1319 MD2 Message-Digest Algorithm routines from libmd.

1. The licensing terms for the MD2 routines from RFC is not under a BSD-like
   license.  Instead it is only granted for non-commercial Internet
   Privacy-Enhanced Mail.
2. MD2 is quite deprecated as it is no longer considered a cryptographically
   strong algorithm.

Discussed with: so (cperciva), core
------------------------------------------------------------------------

The original feature cutoff schedules were:

 head/ slush:   August 24, 2013
 head/ freeze:  September 7, 2013

10.0 is already late.  The original plan would have had 10.0 released in
November.  That's before the first email in this thread - December.

You can always ask the release engineers for an exception, but given that
the release is already overdue I'd bet money you won't get a positive
reception to a request to a delay for md2.

You could ask obrien to revert his commit for head but I'd bet you won't
get a positive response there.

>> However.. the code in libmd had had a non-commercial use restriction..
>> Even if it wasn't too late, that code won't be back.
> That restriction was not (enough of) a problem for 20 years (since 1994) --
> and still is not in 9.x and 8.x. But, Ok...
>> Your best bet is to create a crypto/libmd2 port.  Start with the code
>> from openssl.
> Adding such a port increases the number of hoops for any user to jump
> through -- and the maintenance costs. Whereas the cost of simply adjusting
> the base OpenSSL's configuration to include MD2 functionality is virtually
> zero -- a single additional file file will be back (md2.h), and no new
> libraries...

The path of least resistance is to make a libmd2 port.  It's the only way I
can see you getting to use it on 10.0.

-- 
Peter Wemm - peter at wemm.org; peter at FreeBSD.org; peter at yahoo-inc.com; KI6FJV
UTF-8: for when a ' just won\342\200\231t do.


More information about the freebsd-current mailing list