Bug#745772: ITP: libdigest-perl-md5-perl -- Perl Implementation of Rivest's MD5 algorithm

[Florian Schlichting <fsfs@debian.org>]

On Fri, Apr 25, 2014 at 12:10:04PM -0400, Daniel Kahn Gillmor wrote:
> On 04/24/2014 06:09 PM, Florian Schlichting wrote:
> > Digest::Perl::MD5s has the same interface as the much faster Digest::MD5, but
> > unlike that, it is not an interface but a Perl implementation of MD5. Because
> > of this it is slow but it works without C-Code. You should use Digest::MD5
> > instead of this module if it is available. This module is only useful for
> > 
> >  - computers where you cannot install Digest::MD5 (e.g. lack of a C-Compiler)
> >  - encrypting only small amounts of data (less than one million bytes),
> 
> I think the use of the term "encrypting" above should be changed to
> "hashing", since MD5 is not an encryption algorithm.

I agree, that should be changed in the next upload

> > libdigest-perl-md5-perl is a dependency of libspreadsheet-parseexcel-perl,
> > which uses its internal state in its decryption routines and hence cannot be
> > switched to use Digest::MD5 instead. It will be maintained by pkg-perl.
> 
> huh, this seems like a weird thing to do.  What part of the internal
> state does libspreadsheet-parseexcel-perl need?
> 
> is it just doing partial digests and then continuing, for example?  if
> so, Digest::MD5 has $md5->clone() which should support this use case.
> 
> If it really needs access to the internal state of the digest function
> for some reason, perhaps Digest::MD5 could be extended to provide that
> access?  I know TMTOWTDI, but introducing this implementation to debian
> seems like a regression, when we know that all debian systems actually
> have Digest::MD5 already.

libspreadsheet-parseexcel-perl has been waiting for something like this
to happen for a little over three years now, so I think it's safe to say
it's not going to happen, and it's a lot easier to have an alternative
implementation of the MD5 algorithm packaged, which is clearly marked as
inferior and not used unless specifically requested, but available for
use by libspreadsheet-parseexcel-perl.

If you want to look at the details of this use of "internal state", it
can be found here:
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libspreadsheet-parseexcel-perl.git;a=blob;f=lib/Spreadsheet/ParseExcel.pm;h=7285783835427b592bb899578d93469f5afd8f65;hb=a828ce1458524757e2bbf74a18647d382cd8ea5a#l247

If that link doesn't work, look at lib/Spreadsheet/ParseExcel.pm and
search for "Digest::Perl::MD5"; there's a sub "md5state" in a section
marked "Decryption routines, based on sources of gnumeric (ms-biff.c
ms-excel-read.c)", which is used from both MakeKey() and
VerifyPassword(). I have to admit I don't understand what exactly it's
doing there and whether or how Digest::MD5 in core could be used or
patched to be useable instead; but given how easy and fast it is to just
package Digest::Perl::MD5, and that I cannot see how this is going to
cause any harm (apart from burdening the Debian archive with yet another
package - but maybe I'm overlooking something?), I thought it safe to
resolve the Spreadsheet::Parseexcel stalemate by uploading
libdigest-perl-md5-perl.

Florian