#361 Two more bundled MD5 implementations
Closed: Fixed None Opened 8 years ago by mschwendt.

Recently, in the "makepasswd" review another bundled MD5 implementation has been discovered. This time it's the original reference implementation by RSA as found in the RFC (files global.h, md5.h, md5.c):


If makepasswd upstream replaces it with one of the already tracked implementations, no new copylib exception from the FPC is needed. Is that assumption correct? (-> comments 25 and 26 in the ticket) In that case, no new 'bundled(md5-$IMPLEMENTATION)' name will be needed either, but the package could provide the appropriate one from the existing list.


Surprisingly, package "libsidplayfp" includes an ancient C++-ified implementation of MD5. Originally, it has not been included with its predecessor and has been merged from external tools/libs (such as libsidutils). It's based on the original implementation from L. Peter Deutsch but wrapped into a C++ class interface. The resulting code has been used and reused since 1999/2000:


As I understand [1] and since the implementation is based on 'bundled(md5-deutsch)', no new exception is needed, but a new name for tracking that implementation will be needed for the Provides.

[1] ​https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#cite_note-0

For the makepasswd question. Correct: if the implementation is replaced with an already tracked implementation then no new copylib exception is needed.

For libsidplay, FPC probably needs to vote on that. The C++ code in libsidplay clearly shows its parentage but I'm not sure off the top of my head whether a separate virtual provide or reusing the same one would be best for tracking purposes.

FPC talked about the C++ wrapping of this and decided to make a new virtual provide for it:

info New Virtual Provide for C++ port of deutsch's md5 code: bundled(md5-deutsch-c++) passed: (+1:5, 0:0, -1:0)

Added to the table on the bundled library page. Feel free to update the package to use that.

Login to comment on this ticket.