On Sunday 22 July 2012, Arno Töll wrote: > Evidently not too many people are using dbmmanage, even less with > SHA1 encryption since it is not the default option but nobody > noticed so far. Nonetheless the removal of Digest::SHA1 breaks the > application in a fatal way when SHA-1 encryption is explicitly > desired. Thus, I am raising the bug severity to serious and I will > prepare a patch.
AFAICS, dbmmanage has not seen a single code commit upstream since the C variant, htdbm, has been introduced in 2001. Maybe we should get rid of dbmmanage in the 2.4 packages. But unbreaking it for wheezy by using Digest::SHA instead of Digest::SHA1 is still a good idea. > Having that said, the root issue is upstream and they probably > still plan to support older Perl versions as well. Thus, simply > replacing the modules used will not suffice, but that does not > sound like a big problem either as a simple Perl version dependent > branch will do it. > > Stefan, shouldn't apache2-utils recommend the required perl > libraries as well, instead of letting dbmmanage suggest the use of > CPAN (e.g. for SHA1 in the past, or still in use for MD5)? Digest::MD5 seems to be part of the "perl" package in wheezy, too. No recommends needed. And I wouldn't change dependencies for squeeze unless some user actually complains. And even then, a suggests may be more appropriate in the case of Digest::SHA1, because the sha1 password hashing variant supported in apache is very insecure (no salt). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org