Hi, On Wed, May 18, 2022 at 6:34 PM Bastian Germann <b...@debian.org> wrote: > Should I take the upstream sasl patches which enable DIGEST-MD5 again or is
s/enable/fix/ :) > it time to drop that mechanism, which is obsoleted by RFC6331 for 11 years? It looks like upstream wants to obsolete DIGEST-MD5 and default it to "no" in 2.2.0: https://github.com/cyrusimap/cyrus-sasl/issues/726 There is also this comment from Howard (https://github.com/cyrusimap/cyrus-sasl/issues/665#issuecomment-931753459) """ As usual for deprecating/removing something like digestmd5, the replacement (SCRAM) should be in wide use before the actual deletion/removal. """ > What would I need to do on dropping it? An entry in NEWS, notifying the > release team, something else? Personally I think removing an authentication mechanism is a big deal, as its removal will break sites that use it during an upgrade. Definitely big flashy warnings are warranted. In the meantime, I'll put up a PR with the minimal fix plus a new DEP8 test to catch the problem.