Re: Intent to Rewrite: pwgen

[Theodore Tso <tytso@mit.edu>]

On Fri, Jun 01, 2001 at 11:52:19AM +0200, Marc Haber wrote:
> On Thu, 31 May 2001 08:55:11 -0400, tytso@valinux.com wrote:
> >So because of the licensing issues of the existing pwgen program (see
> >Debian bug #39130) --- basically, there is no licensing statement, and
> >without being able to identify all the people who have worked on it, it
> >will be difficult to resolve them --- I've taken up the challenge of
> >rewriting it from scratch.  It turns out that the existing code is
> >overly complicated and somewhat buggy, and it's easier to rewrite it
> >from scratch than to fix the existing code anyway.
> 
> Are you aware of apg (http://www.adel.nursat.kz/apg/)? It comes with a
> DFSG-free license and seems to do a much better job of generating
> passwords. I have filed an ITP a few weeks ago, didn't get around to
> package it yet and would happily step aside if somebody else can do it
> faster than me.

No, I wasn't aware of apg.  It's a nice program, and it definitely has
some nice features.  You should definitely package it.  (I'd suggest
that you *not* package the unencrypted TCP-based password generation
service running on port 129, though, since it's basically just a Bad
Idea.  "Can you say 'Attractive Nuisance'?  I knew you could...."  :-)

I've already started writing my pwgen replacement, though, so I'll
probably at least try to get it to a stable state so it can replace
the current pwgen (with license problems).

One note about apg is that since the sources use the CAST encryption
algorithm to do its random number generation (instead of relying on
/dev/random or some MD5 or SHA based scheme), apg would have to go
into non-US.  

So there is still some value in doing a pwgen replacement, although I
do have to say apg is very interesting.

							- Ted

P.S.  I've created a pwgen project on sourceforge, with a CVS repository:

	http://sourceforge.net/projects/pwgen