From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by olra.theworths.org (Postfix) with ESMTP id D0D65431FBC for ; Fri, 27 Nov 2009 21:41:42 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at olra.theworths.org Received: from olra.theworths.org ([127.0.0.1]) by localhost (olra.theworths.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kfF3ztnSvf6s for ; Fri, 27 Nov 2009 21:41:41 -0800 (PST) Received: from mail-yx0-f187.google.com (mail-yx0-f187.google.com [209.85.210.187]) by olra.theworths.org (Postfix) with ESMTP id D28AD431FAE for ; Fri, 27 Nov 2009 21:41:41 -0800 (PST) Received: by yxe17 with SMTP id 17so2102779yxe.33 for ; Fri, 27 Nov 2009 21:41:41 -0800 (PST) MIME-Version: 1.0 Received: by 10.90.159.16 with SMTP id h16mr2831001age.24.1259386900699; Fri, 27 Nov 2009 21:41:40 -0800 (PST) In-Reply-To: <87ws1be35o.fsf@vertex.dottedmag> References: <1259378883-9181-1-git-send-email-jeff@ocjtech.us> <87ws1be35o.fsf@vertex.dottedmag> Date: Fri, 27 Nov 2009 23:41:40 -0600 Message-ID: <935ead450911272141g7ecf917ds1547fc95da3178aa@mail.gmail.com> From: Jeffrey Ollie To: Mikhail Gusarov Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: Not Much Mail Subject: Re: [PATCH] Use libgcrypt for hashing. X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2009 05:41:43 -0000 On Fri, Nov 27, 2009 at 9:31 PM, Mikhail Gusarov wrote: > Twas brillig at 21:28:03 27.11.2009 UTC-06 when jeff@ocjtech.us did gyre = and gimble: > > =C2=A0JCO> Instead of including a private implementation of the SHA1 hash > > xserver went this road, and now it has > --with-sha1=3Dlibc|libmd|libgcrypt|libcrypto|libsha1|CommonCrypto in > configure. I doubt that we'll get to that level of insanity. > =C2=A0JCO> This means less code of our own to maintain and > > As libsha1 maintainer I'm volunteering to maintain in-tree copy in > notmuch :) That's great that you're willing to take on the task, but as I do a lot of work for Fedora I tend to think about these things differently. It's not about a project here or there making private copies of some code, it's about tracking down *all* of the projects that have private copies of the code when something goes wrong, especially when there are security implications. The most famous example is Zlib. Based upon what Google turned up I see that you've been around long enough that you should have heard of the problems the computer world had when security flaws turned up in Zlib. There's even a project[1] that developed methods for identifying vulnerable code in binaries the problem was so pervasive. A more recent example is a cross-site ajax request vulnerability in the Prototype JavaScript framework[2]. A lot of projects copied that code into their repositories as well, and now someone has to track all of those down and get them fixed as well. When projects copy code into their repositories like this, it makes things a lot more difficult for someone else down the road. Both Fedora[3] and Debian[4] (and Ubuntu by extension), while not expressly forbidding the practice, *strongly* recommend against it. I'd really recommend reading the Fedora page that explains the policy as it has a great summation of the problem. [1] http://www.enyo.de/fw/security/zlib-fingerprint/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-7220 [3] https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries [4] http://www.debian.org/doc/debian-policy/ch-source.html#s-embeddedfiles --=20 Jeff Ollie