Bug#745772: ITP: libdigest-perl-md5-perl -- Perl Implementation of Rivest's MD5 algorithm
On Fri, Apr 25, 2014 at 12:10:04PM -0400, Daniel Kahn Gillmor wrote: On 04/24/2014 06:09 PM, Florian Schlichting wrote: Digest::Perl::MD5s has the same interface as the much faster Digest::MD5, but unlike that, it is not an interface but a Perl implementation of MD5. Because of this it is slow but it works without C-Code. You should use Digest::MD5 instead of this module if it is available. This module is only useful for - computers where you cannot install Digest::MD5 (e.g. lack of a C-Compiler) - encrypting only small amounts of data (less than one million bytes), I think the use of the term encrypting above should be changed to hashing, since MD5 is not an encryption algorithm. I agree, that should be changed in the next upload libdigest-perl-md5-perl is a dependency of libspreadsheet-parseexcel-perl, which uses its internal state in its decryption routines and hence cannot be switched to use Digest::MD5 instead. It will be maintained by pkg-perl. huh, this seems like a weird thing to do. What part of the internal state does libspreadsheet-parseexcel-perl need? is it just doing partial digests and then continuing, for example? if so, Digest::MD5 has $md5-clone() which should support this use case. If it really needs access to the internal state of the digest function for some reason, perhaps Digest::MD5 could be extended to provide that access? I know TMTOWTDI, but introducing this implementation to debian seems like a regression, when we know that all debian systems actually have Digest::MD5 already. libspreadsheet-parseexcel-perl has been waiting for something like this to happen for a little over three years now, so I think it's safe to say it's not going to happen, and it's a lot easier to have an alternative implementation of the MD5 algorithm packaged, which is clearly marked as inferior and not used unless specifically requested, but available for use by libspreadsheet-parseexcel-perl. If you want to look at the details of this use of internal state, it can be found here: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libspreadsheet-parseexcel-perl.git;a=blob;f=lib/Spreadsheet/ParseExcel.pm;h=7285783835427b592bb899578d93469f5afd8f65;hb=a828ce1458524757e2bbf74a18647d382cd8ea5a#l247 If that link doesn't work, look at lib/Spreadsheet/ParseExcel.pm and search for Digest::Perl::MD5; there's a sub md5state in a section marked Decryption routines, based on sources of gnumeric (ms-biff.c ms-excel-read.c), which is used from both MakeKey() and VerifyPassword(). I have to admit I don't understand what exactly it's doing there and whether or how Digest::MD5 in core could be used or patched to be useable instead; but given how easy and fast it is to just package Digest::Perl::MD5, and that I cannot see how this is going to cause any harm (apart from burdening the Debian archive with yet another package - but maybe I'm overlooking something?), I thought it safe to resolve the Spreadsheet::Parseexcel stalemate by uploading libdigest-perl-md5-perl. Florian -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140428130255.gt972...@zedat.fu-berlin.de
Bug#745772: ITP: libdigest-perl-md5-perl -- Perl Implementation of Rivest's MD5 algorithm
On 04/28/2014 09:02 AM, Florian Schlichting wrote: libspreadsheet-parseexcel-perl has been waiting for something like this to happen for a little over three years now, so I think it's safe to say it's not going to happen, and it's a lot easier to have an alternative implementation of the MD5 algorithm packaged, which is clearly marked as inferior and not used unless specifically requested, but available for use by libspreadsheet-parseexcel-perl. If you want to look at the details of this use of internal state, it can be found here: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libspreadsheet-parseexcel-perl.git;a=blob;f=lib/Spreadsheet/ParseExcel.pm;h=7285783835427b592bb899578d93469f5afd8f65;hb=a828ce1458524757e2bbf74a18647d382cd8ea5a#l247 wow. md5 state without the finalization step, combined with RC4. What an awesome stack of technology :P If that link doesn't work, look at lib/Spreadsheet/ParseExcel.pm and search for Digest::Perl::MD5; there's a sub md5state in a section marked Decryption routines, based on sources of gnumeric (ms-biff.c ms-excel-read.c), which is used from both MakeKey() and VerifyPassword(). I have to admit I don't understand what exactly it's doing there and whether or how Digest::MD5 in core could be used or patched to be useable instead; but given how easy and fast it is to just package Digest::Perl::MD5, and that I cannot see how this is going to cause any harm (apart from burdening the Debian archive with yet another package - but maybe I'm overlooking something?), I thought it safe to resolve the Spreadsheet::Parseexcel stalemate by uploading libdigest-perl-md5-perl. I don't have time to look into it further myself or fix whatever Spreadsheet::ParseExcel needs in Digest::MD5, so i'm not going to push back any harder on this. If someone has the time and interest to help Spreadsheet::Parseexcel get what it needs out of Digest::MD5, that would be awesome, though. thanks for explaining the state of play and providing some links. fwiw, a quick skim of the source makes me think it should not be too hard for the authors of Digest::MD5 to make an intermediateState function for a Digest::MD5 object. The existence of this function would serve the same role as md5state() in the code you've linked. But i don't see any bug report requesting this functionality in Digest::MD5: https://rt.cpan.org/Public/Dist/Display.html?Name=Digest-MD5 so i just reported a new one: https://rt.cpan.org/Ticket/Display.html?id=95127 if we can get that fixed, then we can update libspreadsheet-excel-perl to use it, and then we can drop libdigest-perl-md5-perl from debian. in the meantime, it sounds like you're already on the right track. thanks for handling this, Florian. Regards, --dkg signature.asc Description: OpenPGP digital signature
Bug#745772: ITP: libdigest-perl-md5-perl -- Perl Implementation of Rivest's MD5 algorithm
On 04/24/2014 06:09 PM, Florian Schlichting wrote: Package: wnpp Owner: Florian Schlichting f...@debian.org Severity: wishlist X-Debbugs-CC: debian-de...@lists.debian.org,debian-p...@lists.debian.org * Package name: libdigest-perl-md5-perl Version : 1.9 Upstream Author : Christian Lackas de...@lackas.net * URL : https://metacpan.org/release/Digest-Perl-MD5 * License : Artistic or GPL-1+ Programming Lang: Perl Description : Perl Implementation of Rivest's MD5 algorithm Digest::Perl::MD5s has the same interface as the much faster Digest::MD5, but unlike that, it is not an interface but a Perl implementation of MD5. Because of this it is slow but it works without C-Code. You should use Digest::MD5 instead of this module if it is available. This module is only useful for - computers where you cannot install Digest::MD5 (e.g. lack of a C-Compiler) - encrypting only small amounts of data (less than one million bytes), I think the use of the term encrypting above should be changed to hashing, since MD5 is not an encryption algorithm. libdigest-perl-md5-perl is a dependency of libspreadsheet-parseexcel-perl, which uses its internal state in its decryption routines and hence cannot be switched to use Digest::MD5 instead. It will be maintained by pkg-perl. huh, this seems like a weird thing to do. What part of the internal state does libspreadsheet-parseexcel-perl need? is it just doing partial digests and then continuing, for example? if so, Digest::MD5 has $md5-clone() which should support this use case. If it really needs access to the internal state of the digest function for some reason, perhaps Digest::MD5 could be extended to provide that access? I know TMTOWTDI, but introducing this implementation to debian seems like a regression, when we know that all debian systems actually have Digest::MD5 already. --dkg signature.asc Description: OpenPGP digital signature
Bug#745772: ITP: libdigest-perl-md5-perl -- Perl Implementation of Rivest's MD5 algorithm
Package: wnpp Owner: Florian Schlichting f...@debian.org Severity: wishlist X-Debbugs-CC: debian-de...@lists.debian.org,debian-p...@lists.debian.org * Package name: libdigest-perl-md5-perl Version : 1.9 Upstream Author : Christian Lackas de...@lackas.net * URL : https://metacpan.org/release/Digest-Perl-MD5 * License : Artistic or GPL-1+ Programming Lang: Perl Description : Perl Implementation of Rivest's MD5 algorithm Digest::Perl::MD5s has the same interface as the much faster Digest::MD5, but unlike that, it is not an interface but a Perl implementation of MD5. Because of this it is slow but it works without C-Code. You should use Digest::MD5 instead of this module if it is available. This module is only useful for - computers where you cannot install Digest::MD5 (e.g. lack of a C-Compiler) - encrypting only small amounts of data (less than one million bytes), e.g. hashing passwords. - educational purposes libdigest-perl-md5-perl is a dependency of libspreadsheet-parseexcel-perl, which uses its internal state in its decryption routines and hence cannot be switched to use Digest::MD5 instead. It will be maintained by pkg-perl. -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1398377739.506663.19744.nullmai...@fschlich.dialup.fu-berlin.de