Re: Not-so-mass bug filing for the patented IDEA algorithm

[Florian Weimer <fw@deneb.enyo.de>]

* Neil Williams:

> Which are the offending libraries?

Botan, Crypto++, BouncyCastle, a few Perl-related packages.

> Is this mass-bug-filing intended to be against the applications that
> link against the libraries or just the offending libraries
> themselves?

Just the libraries.  Debian's crypto libraries haven't got many
reverse dependencies anyway.  There's a slight chance that
BouncyCastle's PGP functionality is impacted.  (Old PGP is the only
de-facto standard that once promoted the adoption of IDEA.)

> Why do the upstream libraries contain an implementation of the
> algorithm in the first place?

In case of BouncyCastle, it's probably related to its PGP support.
The others include it purely for coverage, I guess.

> Or to prevent a SONAME bump, replace the function definition with a
> no-op/error.

No-op could be quite harmful.