[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#682401: dbmmanage: please use Digest::SHA instead of Digest::SHA1

On Sunday 22 July 2012, Arno Töll wrote:
> Evidently not too many people are using dbmmanage, even less with
> SHA1 encryption since it is not the default option but nobody
> noticed so far. Nonetheless the removal of Digest::SHA1 breaks the
> application in a fatal way when SHA-1 encryption is explicitly
> desired. Thus, I am raising the bug severity to serious and I will
> prepare a patch.

AFAICS, dbmmanage has not seen a single code commit upstream since the 
C variant, htdbm, has been introduced in 2001. Maybe we should get rid 
of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by 
using Digest::SHA instead of Digest::SHA1 is still a good idea. 

> Having that said, the root issue is upstream and they probably
> still plan to support older Perl versions as well. Thus, simply
> replacing the modules used will not suffice, but that does not
> sound like a big problem either as a simple Perl version dependent
> branch will do it.
> Stefan, shouldn't apache2-utils recommend the required perl
> libraries as well, instead of letting dbmmanage suggest the use of
> CPAN (e.g. for SHA1 in the past, or still in use for MD5)?

Digest::MD5 seems to be part of the "perl" package in wheezy, too. No 
recommends needed.

And I wouldn't change dependencies for squeeze unless some user 
actually complains. And even then, a suggests may be more appropriate 
in the case of Digest::SHA1, because the sha1 password hashing variant 
supported in apache is very insecure (no salt).

Reply to: