Recently, in the "makepasswd" review another bundled MD5 implementation has been discovered. This time it's the original reference implementation by RSA as found in the RFC (files global.h, md5.h, md5.c):
If makepasswd upstream replaces it with one of the already tracked implementations, no new copylib exception from the FPC is needed. Is that assumption correct? (-> comments 25 and 26 in the ticket) In that case, no new 'bundled(md5-$IMPLEMENTATION)' name will be needed either, but the package could provide the appropriate one from the existing list.
Surprisingly, package "libsidplayfp" includes an ancient C++-ified implementation of MD5. Originally, it has not been included with its predecessor and has been merged from external tools/libs (such as libsidutils). It's based on the original implementation from L. Peter Deutsch but wrapped into a C++ class interface. The resulting code has been used and reused since 1999/2000:
As I understand  and since the implementation is based on 'bundled(md5-deutsch)', no new exception is needed, but a new name for tracking that implementation will be needed for the Provides.
For the makepasswd question. Correct: if the implementation is replaced with an already tracked implementation then no new copylib exception is needed.
For libsidplay, FPC probably needs to vote on that. The C++ code in libsidplay clearly shows its parentage but I'm not sure off the top of my head whether a separate virtual provide or reusing the same one would be best for tracking purposes.
FPC talked about the C++ wrapping of this and decided to make a new virtual provide for it:
Added to the table on the bundled library page. Feel free to update the package to use that.
to comment on this ticket.