#130 New bundled() Provides for libiberty md5.c by Ulrich Drepper

Created 5 years ago by jankratochvil
Modified 3 months ago

libiberty contains [http://git.jankratochvil.net/?p=gdb.git;a=blob;f=libiberty/md5.c;h=0db8fc8936f30c76e020a96736182d481c147f20;hb=master md5.c by Ulrich Drepper]. [https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-1 Packaging:No_Bundled_Libraries] does not list it.

As suggested in [https://fedorahosted.org/fpc/ticket/109#comment:9 Ticket 109] I should file this new ticket for it.

That md5.c file by Ulrich Drepper is being spread across many packages, as one can see from [http://www.google.com/search?hl=en&lr=lang_en&num=100&q=%22First%20round%3A%20using%20the%20given%20function%2C%20the%20context%20and%20a%20constant%22 Google].

There should be something like:
{{{
Provides: bundled(md5-Drepper) = libiberty 20120103
}}}

Looks like that comment comes from the RSA reference implementation. Adding Ulrich to the search does turn up a large number of hits, though: [http://www.google.com/search?hl=en&lr=lang_en&num=100&q=%22First%20round%3A%20using%20the%20given%20function%2C%20the%20context%20and%20a%20constant%22+Ulrich Google] so I think this is still valid.

From the comments, I think that this code originates in glibc but, unless I'm mistaken, glibc only provides access to it via the crypt() function which isn't a good API for some applications (It's optimized for hashing passphrases rather than calculating hashes of large streams of data).

I'd recommend all lowercase for the virtual provide to match the other md5.c virtual provides. I can see two possibilities for the name: bundled(md5-drepper) or bundled(md5-glibc). It would be nice to capture the version that this was forked from glibc for the version but that may be lost in the mists of time. I'm not sure about using libiberty in the version -- unless the other copies are copied from libiberty it seems better to use a version string related to glibc.

The rationale for including a version string is so we can identify code that may be using problematic versions of the code when the canonical source updates. With that in mind, we could even specify that a version of "0" be used if a newer, more accurate version is not known. Then, if we find that release 2.11 of glibc fixed a long standing security issue in its md5 implementation we'd know to check all the bundled(md5-glibc) packages with version < 2.11 (and thus include the version 0 virtual provides).

md5.c is shared in libiberty across binutils/gdb/gcc, its central maintenance is in gcc.

The gcc md5.c version originates from glibc but it is already forked. The two repositories have different patches applied, no longer being synced to each other.

Therefore I find the most appropriate:
{{{
Provides: bundled(md5-gcc) = 20120103snap
}}}

bundled(md5-gcc) sounds good to me.

Announce Text:

Ulrich Drepper's MD5 implementation, as found originally in gcc, was added to the list of MD5 exception cases permitted for bundling exceptions.

https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Packages_granted_exceptions

3 months ago

Metadata Update from @jankratochvil:
- Issue assigned to spot

Login to comment on this ticket.

cancel