Bug#682401: dbmmanage: please use Digest::SHA instead of Digest::SHA1
On Sunday 22 July 2012, Arno Töll wrote:
> Evidently not too many people are using dbmmanage, even less with
> SHA1 encryption since it is not the default option but nobody
> noticed so far. Nonetheless the removal of Digest::SHA1 breaks the
> application in a fatal way when SHA-1 encryption is explicitly
> desired. Thus, I am raising the bug severity to serious and I will
> prepare a patch.
AFAICS, dbmmanage has not seen a single code commit upstream since the
C variant, htdbm, has been introduced in 2001. Maybe we should get rid
of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by
using Digest::SHA instead of Digest::SHA1 is still a good idea.
> Having that said, the root issue is upstream and they probably
> still plan to support older Perl versions as well. Thus, simply
> replacing the modules used will not suffice, but that does not
> sound like a big problem either as a simple Perl version dependent
> branch will do it.
>
> Stefan, shouldn't apache2-utils recommend the required perl
> libraries as well, instead of letting dbmmanage suggest the use of
> CPAN (e.g. for SHA1 in the past, or still in use for MD5)?
Digest::MD5 seems to be part of the "perl" package in wheezy, too. No
recommends needed.
And I wouldn't change dependencies for squeeze unless some user
actually complains. And even then, a suggests may be more appropriate
in the case of Digest::SHA1, because the sha1 password hashing variant
supported in apache is very insecure (no salt).
Reply to: