From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 04:53:44 2019 Received: (at submit) by debbugs.gnu.org; 16 Sep 2019 08:53:44 +0000 Received: from localhost ([127.0.0.1]:49170 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9mlU-0007B0-8F for submit@debbugs.gnu.org; Mon, 16 Sep 2019 04:53:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:42563) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9mlS-0007At-Qx for submit@debbugs.gnu.org; Mon, 16 Sep 2019 04:53:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34043) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i9mlR-0006Cj-FH for bug-gnu-emacs@gnu.org; Mon, 16 Sep 2019 04:53:42 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: ** X-Spam-Status: No, score=2.9 required=5.0 tests=BAYES_50,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPOOFED_FREEMAIL autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i9mlQ-000465-2x for bug-gnu-emacs@gnu.org; Mon, 16 Sep 2019 04:53:41 -0400 Received: from mail-pl1-f177.google.com ([209.85.214.177]:44671) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i9mlP-00041h-RF for bug-gnu-emacs@gnu.org; Mon, 16 Sep 2019 04:53:40 -0400 Received: by mail-pl1-f177.google.com with SMTP id k1so16618904pls.11 for ; Mon, 16 Sep 2019 01:53:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=pYOLBXx6bPFJgqX9GeJDqB7Fb8wpeFyHgunwQq7PMaU=; b=fr98pwRhIz2SA2/Fs1nWp5AXz9ohGf5cbiMSvf9HuBy7Jgr2mWnmfx0pUSCL3L54n1 eU1PwnqtCW4QteY01DYbeF4li0K/pKGRChJ7T1KABOnsIVL0Keiv8WuPLNMXPaPny2yY h5oTESXPLah/5BzRwfCcAeGKVebWhOZZpv2OqmNaAp5Bgfb2FpBG0xCcS75kL5rJFVes zWtK17FEJqTLEtw56nrAvwarrNuLLDlsIF0tfVY0MxnvSqPhWvlI5pI6+Pgqgri3PTAa t6UMXLrPg7dxmZUfPmBrdMXZauDv5a/2GHTK8cLNVUykt/LIogg31tE4QsioSvTfWTKM p6Ww== X-Gm-Message-State: APjAAAU7Kidh04MkMDIYuOahEYaR5iYWrOy21/z2YSGbjhp0/ctXdW7K S2u+LRFxV+jiHDD18j2Nt1Ca7xYtlod/4EH/976gOJ+G7f8= X-Google-Smtp-Source: APXvYqwZ0ndTVWfN8LGjycLJTUIakbQjv9QVHMY+CeWBdYewpAXt//oaCkBdlMf3Z9S02UrIzx2qWZbt9NGJK4SKbQ4= X-Received: by 2002:a17:902:326:: with SMTP id 35mr64316024pld.128.1568624018545; Mon, 16 Sep 2019 01:53:38 -0700 (PDT) MIME-Version: 1.0 From: Stefan Kangas Date: Mon, 16 Sep 2019 10:53:27 +0200 Message-ID: Subject: [PATCH] Recommend against SHA-1 for security-related applications To: bug-gnu-emacs@gnu.org Content-Type: multipart/mixed; boundary="00000000000069d6310592a7bd9a" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.214.177 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: SHA-1 has now seen collision attacks: https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/ We should clarify that these attacks are not only theoretical, and actively discourage using it in security-related applications in the Elisp Manual. The attached patch is an attempt at doing that. Content analysis details: (1.3 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (stefankangas[at]gmail.com) 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different 2.1 SPOOFED_FREEMAIL No description available. X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.3 (/) --00000000000069d6310592a7bd9a Content-Type: text/plain; charset="UTF-8" SHA-1 has now seen collision attacks: https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/ We should clarify that these attacks are not only theoretical, and actively discourage using it in security-related applications in the Elisp Manual. The attached patch is an attempt at doing that. Any comments? Best regards, Stefan Kangas --00000000000069d6310592a7bd9a Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Recommend-against-SHA-1-for-security-related-applica.patch" Content-Disposition: attachment; filename="0001-Recommend-against-SHA-1-for-security-related-applica.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k0m6617o0 RnJvbSA1M2E0MjQ3MDYwNGUzZGI2ZTJmMDU1MmViMzQ4MWZhNjRhODUzNDU4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDEwOjQ1OjE0ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g UmVjb21tZW5kIGFnYWluc3QgU0hBLTEgZm9yIHNlY3VyaXR5LXJlbGF0ZWQgYXBwbGljYXRpb25z CgoqIGRvYy9saXNwcmVmL3RleHQudGV4aSAoQ2hlY2tzdW0vSGFzaCk6IENsYXJpZnkgdGhhdCBT SEEtMSBpcyBub3QKY29sbGlzaW9uIHJlc2lzdGFudC4KLS0tCiBkb2MvbGlzcHJlZi90ZXh0LnRl eGkgfCAxMiArKysrKystLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDYg ZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZG9jL2xpc3ByZWYvdGV4dC50ZXhpIGIvZG9jL2xp c3ByZWYvdGV4dC50ZXhpCmluZGV4IDdjZTU0ZjU5YzYuLjk0OTc5N2MzZWYgMTAwNjQ0Ci0tLSBh L2RvYy9saXNwcmVmL3RleHQudGV4aQorKysgYi9kb2MvbGlzcHJlZi90ZXh0LnRleGkKQEAgLTQ3 MTAsMTIgKzQ3MTAsMTIgQEAgQ2hlY2tzdW0vSGFzaAogU0hBLTEsIFNIQS0yLCBTSEEtMjI0LCBT SEEtMjU2LCBTSEEtMzg0IGFuZCBTSEEtNTEyLiAgTUQ1IGlzIHRoZQogb2xkZXN0IG9mIHRoZXNl IGFsZ29yaXRobXMsIGFuZCBpcyBjb21tb25seSB1c2VkIGluIEBkZm57bWVzc2FnZQogZGlnZXN0 c30gdG8gY2hlY2sgdGhlIGludGVncml0eSBvZiBtZXNzYWdlcyB0cmFuc21pdHRlZCBvdmVyIGEK LW5ldHdvcmsuICBNRDUgaXMgbm90IGNvbGxpc2lvbiByZXNpc3RhbnQgKGkuZS4sIGl0IGlzIHBv c3NpYmxlIHRvCi1kZWxpYmVyYXRlbHkgZGVzaWduIGRpZmZlcmVudCBwaWVjZXMgb2YgZGF0YSB3 aGljaCBoYXZlIHRoZSBzYW1lIE1ENQotaGFzaCksIHNvIHlvdSBzaG91bGQgbm90IHVzZWQgaXQg Zm9yIGFueXRoaW5nIHNlY3VyaXR5LXJlbGF0ZWQuICBBCi1zaW1pbGFyIHRoZW9yZXRpY2FsIHdl YWtuZXNzIGFsc28gZXhpc3RzIGluIFNIQS0xLiAgVGhlcmVmb3JlLCBmb3IKLXNlY3VyaXR5LXJl bGF0ZWQgYXBwbGljYXRpb25zIHlvdSBzaG91bGQgdXNlIHRoZSBvdGhlciBoYXNoIHR5cGVzLAot c3VjaCBhcyBTSEEtMi4KK25ldHdvcmsuICBNRDUgYW5kIFNIQS0xIGFyZSBub3QgY29sbGlzaW9u IHJlc2lzdGFudCAoaS5lLiwgaXQgaXMKK3Bvc3NpYmxlIHRvIGRlbGliZXJhdGVseSBkZXNpZ24g ZGlmZmVyZW50IHBpZWNlcyBvZiBkYXRhIHdoaWNoIGhhdmUKK3RoZSBzYW1lIE1ENSBvciBTSEEt MSBoYXNoKSwgc28geW91IHNob3VsZCBub3QgdXNlIHRoZW0gZm9yIGFueXRoaW5nCitzZWN1cml0 eS1yZWxhdGVkLiAgRm9yIHNlY3VyaXR5LXJlbGF0ZWQgYXBwbGljYXRpb25zIHlvdSBzaG91bGQg dXNlCit0aGUgb3RoZXIgaGFzaCB0eXBlcywgc3VjaCBhcyBTSEEtMiAoQGNvZGV7c2hhMjI0fSwg QGNvZGV7c2hhMjU2fSwKK0Bjb2Rle3NoYTM4NH0gb3IgQGNvZGV7c2hhNTEyfSkuCiAKIEBkZWZ1 biBzZWN1cmUtaGFzaC1hbGdvcml0aG1zCiBUaGlzIGZ1bmN0aW9uIHJldHVybnMgYSBsaXN0IG9m IHN5bWJvbHMgcmVwcmVzZW50aW5nIGFsZ29yaXRobXMgdGhhdAotLSAKMi4yMC4xCgo= --00000000000069d6310592a7bd9a-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 07:21:14 2019 Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 11:21:14 +0000 Received: from localhost ([127.0.0.1]:49305 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9p4B-0004WJ-M0 for submit@debbugs.gnu.org; Mon, 16 Sep 2019 07:21:11 -0400 Received: from quimby.gnus.org ([80.91.231.51]:56148) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9p49-0004WA-Jl for 37420@debbugs.gnu.org; Mon, 16 Sep 2019 07:21:10 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i9p44-0007us-QR; Mon, 16 Sep 2019 13:21:07 +0200 From: Lars Ingebrigtsen To: Stefan Kangas Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: Date: Mon, 16 Sep 2019 13:21:04 +0200 In-Reply-To: (Stefan Kangas's message of "Mon, 16 Sep 2019 10:53:27 +0200") Message-ID: <87v9tsv65b.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Stefan Kangas writes: > We should clarify that these attacks are not only theoretical, and > actively discourage using it in security-related applications in the > Elisp Manual. The attached patch is an attempt at doing th [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > We should clarify that these attacks are not only theoretical, and > actively discourage using it in security-related applications in the > Elisp Manual. The attached patch is an attempt at doing that. Looks good to me. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 16:30:04 2019 Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 20:30:04 +0000 Received: from localhost ([127.0.0.1]:51139 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9xdL-0006ap-Jb for submit@debbugs.gnu.org; Mon, 16 Sep 2019 16:30:04 -0400 Received: from mail-pg1-f181.google.com ([209.85.215.181]:35955) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9xdI-0006ZJ-PX for 37420@debbugs.gnu.org; Mon, 16 Sep 2019 16:30:01 -0400 Received: by mail-pg1-f181.google.com with SMTP id m29so642476pgc.3 for <37420@debbugs.gnu.org>; Mon, 16 Sep 2019 13:30:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=m3tMGiVwOV9IN1PX3CO9kN07KOkEvq/kgb7bI+ArZDg=; b=crLvXt4hjA/GsthYIi1pvSg8P418LV52Et1znQSEUNM+tdHYawltaraKDg3szz9DhB QKSI86tgA+DXOKwPEomp1gxZ/FYdahAYWlEfmYRs5Lzbbg+yi/SJhfg1CfA2ZrMLDhaa UEoOxBVT1/SdFJr94ldxVGId8DrIZftyqJF/n0pfvdPzzEwfG9Pt3ey5o9pRU8341WrM Lrd0jetHtiKUAEX90HSpDenUyI3JfDAqEYswY7ZksklDAVFTZKeEigP2ZiBGR6tMbUdy 19gJn6rqY0tSdifSb36A8fYNmjSDI7/4kQ3Q+pMEbPSbwflgqhaPcAxG/rF8xQWqJn3d KHog== X-Gm-Message-State: APjAAAXkdsBEg+ppakYgS/AfLM58ad+euSFt3UWQUQ5VkTHY2AJq3Ujf Y0alWApHvF4MDm+XWhW1k5vBMot1XVIt4b60Qus= X-Google-Smtp-Source: APXvYqyvRuFDx7ywN3cWJg21emj35BgnVgkJAm95wVKxESUa43mIjZGumPyW8BqBiUeXm8JC0gOkUApgvDF6Ay+1d3I= X-Received: by 2002:a17:90a:8d0c:: with SMTP id c12mr1087264pjo.119.1568665794762; Mon, 16 Sep 2019 13:29:54 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> In-Reply-To: <87v9tsv65b.fsf@gnus.org> From: Stefan Kangas Date: Mon, 16 Sep 2019 22:29:43 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Lars Ingebrigtsen Content-Type: multipart/mixed; boundary="00000000000077fa7f0592b17751" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --00000000000077fa7f0592b17751 Content-Type: text/plain; charset="UTF-8" Lars Ingebrigtsen writes: > > We should clarify that these attacks are not only theoretical, and > > actively discourage using it in security-related applications in the > > Elisp Manual. The attached patch is an attempt at doing that. > > Looks good to me. Thanks. I thought a bit more about this, and would like to suggest the attached slightly more ambitious patch which also recommends against them in the doc strings of sha1, md5 and secure-hash. (I also changed so the doc strings consistently say SHA-1 instead of SHA1, which seems to be more correct AFAICT.) Best regards, Stefan Kangas --00000000000077fa7f0592b17751 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Recommend-against-SHA-1-and-MD5-for-security.patch" Content-Disposition: attachment; filename="0001-Recommend-against-SHA-1-and-MD5-for-security.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k0mv0e1h0 RnJvbSA5YTQ5ZmZiOGVjNWVkZTA1YmM2ZDcxMDAwNjZkOWVkYTdlZmRkZTQ2IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDEwOjQ1OjE0ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g UmVjb21tZW5kIGFnYWluc3QgU0hBLTEgYW5kIE1ENSBmb3Igc2VjdXJpdHkKCiogZG9jL2xpc3By ZWYvdGV4dC50ZXhpIChDaGVja3N1bS9IYXNoKToKKiBzcmMvZm5zLmMgKEZtZDUsIEZzZWN1cmVf aGFzaCk6CiogbGlzcC9zdWJyLmVsIChzaGExKTogRG9jIGZpeCB0byByZWNvbW1lbmQgYWdhaW5z dCBTSEEtMSBhbmQgTUQ1IGZvcgpzZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucywgc2luY2Ug dGhleSBhcmUgbm90IGNvbGxpc2lvbgpyZXNpc3RhbnQuICAoQnVnIzM3NDIwKQotLS0KIGRvYy9s aXNwcmVmL3RleHQudGV4aSB8IDEyICsrKysrKy0tLS0tLQogbGlzcC9zdWJyLmVsICAgICAgICAg IHwgIDggKysrKysrLS0KIHNyYy9mbnMuYyAgICAgICAgICAgICB8IDExICsrKysrKysrKy0tCiAz IGZpbGVzIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDEwIGRlbGV0aW9ucygtKQoKZGlmZiAt LWdpdCBhL2RvYy9saXNwcmVmL3RleHQudGV4aSBiL2RvYy9saXNwcmVmL3RleHQudGV4aQppbmRl eCA3Y2U1NGY1OWM2Li41NGI4OWNmZjVhIDEwMDY0NAotLS0gYS9kb2MvbGlzcHJlZi90ZXh0LnRl eGkKKysrIGIvZG9jL2xpc3ByZWYvdGV4dC50ZXhpCkBAIC00NzEwLDEyICs0NzEwLDEyIEBAIENo ZWNrc3VtL0hhc2gKIFNIQS0xLCBTSEEtMiwgU0hBLTIyNCwgU0hBLTI1NiwgU0hBLTM4NCBhbmQg U0hBLTUxMi4gIE1ENSBpcyB0aGUKIG9sZGVzdCBvZiB0aGVzZSBhbGdvcml0aG1zLCBhbmQgaXMg Y29tbW9ubHkgdXNlZCBpbiBAZGZue21lc3NhZ2UKIGRpZ2VzdHN9IHRvIGNoZWNrIHRoZSBpbnRl Z3JpdHkgb2YgbWVzc2FnZXMgdHJhbnNtaXR0ZWQgb3ZlciBhCi1uZXR3b3JrLiAgTUQ1IGlzIG5v dCBjb2xsaXNpb24gcmVzaXN0YW50IChpLmUuLCBpdCBpcyBwb3NzaWJsZSB0bwotZGVsaWJlcmF0 ZWx5IGRlc2lnbiBkaWZmZXJlbnQgcGllY2VzIG9mIGRhdGEgd2hpY2ggaGF2ZSB0aGUgc2FtZSBN RDUKLWhhc2gpLCBzbyB5b3Ugc2hvdWxkIG5vdCB1c2VkIGl0IGZvciBhbnl0aGluZyBzZWN1cml0 eS1yZWxhdGVkLiAgQQotc2ltaWxhciB0aGVvcmV0aWNhbCB3ZWFrbmVzcyBhbHNvIGV4aXN0cyBp biBTSEEtMS4gIFRoZXJlZm9yZSwgZm9yCi1zZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucyB5 b3Ugc2hvdWxkIHVzZSB0aGUgb3RoZXIgaGFzaCB0eXBlcywKLXN1Y2ggYXMgU0hBLTIuCituZXR3 b3JrLiAgTUQ1IGFuZCBTSEEtMSBhcmUgbm90IGNvbGxpc2lvbiByZXNpc3RhbnQgKGkuZS4sIGl0 IGlzCitwb3NzaWJsZSB0byBkZWxpYmVyYXRlbHkgZGVzaWduIGRpZmZlcmVudCBwaWVjZXMgb2Yg ZGF0YSB3aGljaCBoYXZlCit0aGUgc2FtZSBNRDUgb3IgU0hBLTEgaGFzaCksIHNvIHlvdSBzaG91 bGQgbm90IHVzZSB0aGVtIGZvciBhbnl0aGluZworc2VjdXJpdHktcmVsYXRlZC4gIEZvciBzZWN1 cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucyB5b3Ugc2hvdWxkIHVzZQordGhlIG90aGVyIGhhc2gg dHlwZXMsIHN1Y2ggYXMgU0hBLTIgKGUuZy4gQGNvZGV7c2hhMzg0fSBvcgorQGNvZGV7c2hhNTEy fSkuCiAKIEBkZWZ1biBzZWN1cmUtaGFzaC1hbGdvcml0aG1zCiBUaGlzIGZ1bmN0aW9uIHJldHVy bnMgYSBsaXN0IG9mIHN5bWJvbHMgcmVwcmVzZW50aW5nIGFsZ29yaXRobXMgdGhhdApkaWZmIC0t Z2l0IGEvbGlzcC9zdWJyLmVsIGIvbGlzcC9zdWJyLmVsCmluZGV4IDBiNDdkYTg4NGIuLjQ1Yjk5 YTgyZDIgMTAwNjQ0Ci0tLSBhL2xpc3Avc3Vici5lbAorKysgYi9saXNwL3N1YnIuZWwKQEAgLTMx MjAsMTEgKzMxMjAsMTUgQEAgZmllbGQtYXQtcG9zCiAgICAgICByYXctZmllbGQpKSkKIAogKGRl ZnVuIHNoYTEgKG9iamVjdCAmb3B0aW9uYWwgc3RhcnQgZW5kIGJpbmFyeSkKLSAgIlJldHVybiB0 aGUgU0hBMSAoU2VjdXJlIEhhc2ggQWxnb3JpdGhtKSBvZiBhbiBPQkpFQ1QuCisgICJSZXR1cm4g dGhlIFNIQS0xIChTZWN1cmUgSGFzaCBBbGdvcml0aG0pIG9mIGFuIE9CSkVDVC4KIE9CSkVDVCBp cyBlaXRoZXIgYSBzdHJpbmcgb3IgYSBidWZmZXIuICBPcHRpb25hbCBhcmd1bWVudHMgU1RBUlQg YW5kCiBFTkQgYXJlIGNoYXJhY3RlciBwb3NpdGlvbnMgc3BlY2lmeWluZyB3aGljaCBwb3J0aW9u IG9mIE9CSkVDVCBmb3IKIGNvbXB1dGluZyB0aGUgaGFzaC4gIElmIEJJTkFSWSBpcyBub24tbmls LCByZXR1cm4gYSBzdHJpbmcgaW4gYmluYXJ5Ci1mb3JtLiIKK2Zvcm0uCisKK05vdGUgdGhhdCBT SEEtMSBpcyBub3QgY29sbGlzaW9uIHJlc2lzdGFudCBhbmQgc2hvdWxkIG5vdCBiZSB1c2VkCitm b3IgYW55dGhpbmcgc2VjdXJpdHktcmVsYXRlZC4gIFNlZSBgc2VjdXJlLWhhc2gnIGZvcgorYWx0 ZXJuYXRpdmVzLiIKICAgKHNlY3VyZS1oYXNoICdzaGExIG9iamVjdCBzdGFydCBlbmQgYmluYXJ5 KSkKIAogKGRlZnVuIGZ1bmN0aW9uLWdldCAoZiBwcm9wICZvcHRpb25hbCBhdXRvbG9hZCkKZGlm ZiAtLWdpdCBhL3NyYy9mbnMuYyBiL3NyYy9mbnMuYwppbmRleCBkZjkyMWUyOGYzLi4yMDA0N2Jl NjNkIDEwMDY0NAotLS0gYS9zcmMvZm5zLmMKKysrIGIvc3JjL2Zucy5jCkBAIC01Mzc5LDcgKzUz NzksMTAgQEAgREVGVU4gKCJtZDUiLCBGbWQ1LCBTbWQ1LCAxLCA1LCAwLAogY29tbWFuZCBgcHJl ZmVyLWNvZGluZy1zeXN0ZW0nKSBpcyB1c2VkLgogCiBJZiBOT0VSUk9SIGlzIG5vbi1uaWwsIHNp bGVudGx5IGFzc3VtZSB0aGUgYHJhdy10ZXh0JyBjb2RpbmcgaWYgdGhlCi1ndWVzc3dvcmsgZmFp bHMuICBOb3JtYWxseSwgYW4gZXJyb3IgaXMgc2lnbmFsZWQgaW4gc3VjaCBjYXNlLiAgKi8pCitn dWVzc3dvcmsgZmFpbHMuICBOb3JtYWxseSwgYW4gZXJyb3IgaXMgc2lnbmFsZWQgaW4gc3VjaCBj YXNlLgorCitOb3RlIHRoYXQgTUQ1IGlzIG5vdCBjb2xsaXNpb24gcmVzaXN0YW50IGFuZCBzaG91 bGQgbm90IGJlIHVzZWQgZm9yCithbnl0aGluZyBzZWN1cml0eS1yZWxhdGVkLiAgU2VlIGBzZWN1 cmUtaGFzaCcgZm9yIGFsdGVybmF0aXZlcy4gICovKQogICAoTGlzcF9PYmplY3Qgb2JqZWN0LCBM aXNwX09iamVjdCBzdGFydCwgTGlzcF9PYmplY3QgZW5kLCBMaXNwX09iamVjdCBjb2Rpbmdfc3lz dGVtLCBMaXNwX09iamVjdCBub2Vycm9yKQogewogICByZXR1cm4gc2VjdXJlX2hhc2ggKFFtZDUs IG9iamVjdCwgc3RhcnQsIGVuZCwgY29kaW5nX3N5c3RlbSwgbm9lcnJvciwgUW5pbCk7CkBAIC01 Mzk2LDcgKzUzOTksMTEgQEAgREVGVU4gKCJzZWN1cmUtaGFzaCIsIEZzZWN1cmVfaGFzaCwgU3Nl Y3VyZV9oYXNoLCAyLCA1LCAwLAogCiBUaGUgZnVsbCBsaXN0IG9mIGFsZ29yaXRobXMgY2FuIGJl IG9idGFpbmVkIHdpdGggYHNlY3VyZS1oYXNoLWFsZ29yaXRobXMnLgogCi1JZiBCSU5BUlkgaXMg bm9uLW5pbCwgcmV0dXJucyBhIHN0cmluZyBpbiBiaW5hcnkgZm9ybS4gICovKQorSWYgQklOQVJZ IGlzIG5vbi1uaWwsIHJldHVybnMgYSBzdHJpbmcgaW4gYmluYXJ5IGZvcm0uCisKK05vdGUgdGhh dCBNRDUgYW5kIFNIQS0xIGFyZSBub3QgY29sbGlzaW9uIHJlc2lzdGFudCBhbmQgc2hvdWxkIG5v dCBiZQordXNlZCBmb3IgYW55dGhpbmcgc2VjdXJpdHktcmVsYXRlZC4gIFVzZSBvbmUgb2YgdGhl IG90aGVyIGhhc2ggdHlwZXMKK2ZvciBzZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucy4gICov KQogICAoTGlzcF9PYmplY3QgYWxnb3JpdGhtLCBMaXNwX09iamVjdCBvYmplY3QsIExpc3BfT2Jq ZWN0IHN0YXJ0LCBMaXNwX09iamVjdCBlbmQsIExpc3BfT2JqZWN0IGJpbmFyeSkKIHsKICAgcmV0 dXJuIHNlY3VyZV9oYXNoIChhbGdvcml0aG0sIG9iamVjdCwgc3RhcnQsIGVuZCwgUW5pbCwgUW5p bCwgYmluYXJ5KTsKLS0gCjIuMjAuMQoK --00000000000077fa7f0592b17751-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 16:34:21 2019 Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 20:34:21 +0000 Received: from localhost ([127.0.0.1]:51147 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9xhV-0000L6-Kq for submit@debbugs.gnu.org; Mon, 16 Sep 2019 16:34:21 -0400 Received: from quimby.gnus.org ([80.91.231.51]:38546) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9xhT-0000Kv-SX for 37420@debbugs.gnu.org; Mon, 16 Sep 2019 16:34:20 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i9xhQ-00067f-91; Mon, 16 Sep 2019 22:34:18 +0200 From: Lars Ingebrigtsen To: Stefan Kangas Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> Date: Mon, 16 Sep 2019 22:34:15 +0200 In-Reply-To: (Stefan Kangas's message of "Mon, 16 Sep 2019 22:29:43 +0200") Message-ID: <87ef0grneg.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Stefan Kangas writes: > (I also changed so the doc strings consistently say SHA-1 instead of > SHA1, which seems to be more correct AFAICT.) Yup. Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > (I also changed so the doc strings consistently say SHA-1 instead of > SHA1, which seems to be more correct AFAICT.) Yup. [...] > +Note that SHA-1 is not collision resistant and should not be used > +for anything security-related. See `secure-hash' for > +alternatives." Looks good. -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 17:50:53 2019 Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 21:50:53 +0000 Received: from localhost ([127.0.0.1]:51243 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9ytZ-0006tg-Cj for submit@debbugs.gnu.org; Mon, 16 Sep 2019 17:50:53 -0400 Received: from mail-pf1-f181.google.com ([209.85.210.181]:41262) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9ytX-0006tS-4u for 37420@debbugs.gnu.org; Mon, 16 Sep 2019 17:50:51 -0400 Received: by mail-pf1-f181.google.com with SMTP id q7so730796pfh.8 for <37420@debbugs.gnu.org>; Mon, 16 Sep 2019 14:50:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=C2m1yQ8Lb3902w4Es6cgAlaN0BPFgGNC7RMO+jUPfWU=; b=N1Gd0IElfH9Vyed+yz8V+36Doact1fduFOil253FOFIHIC67L1T/bZmQeJObHLjnlv Xm48Z0ZDSnjmWUXFmOO9MfkSAbrl4sfLNpatUm9/yH0sdYM8654i26Csf+HHqD75Y6dL 002BCHuAvN8l/TcHjT2COLuVunQrp99dh2R9gpfH9TDwkoj8nJtkifEQF6jd8aQsu3mP 939Pvtuu8LArd+WNYxvC1iLgwA/XPS9EadP8ZNC15VE21r7bV7raGwfySazFSfimI+zg 2Qv91QmnGcWVzt93XyJ7g3WAzt+zpsedf58MQQL1lhT+NB9WWjngW7ZLd6P58YudRz9u 4PuA== X-Gm-Message-State: APjAAAXZ/r4A5/hL8KBB4Xd4Xy1DsS1sqil6AUtg2VC6v1qd/bq83q2G XbzOFwypTM4NB1jXMG+JcKkgtGFyLlcn9wI2Bxsmkpxs X-Google-Smtp-Source: APXvYqzMLoQDOe19t9XY6lO7Knxo85wp6ldPsEcHiBC8kxCxl5plbAs5Sdp3UU6I3XLZBGgZ9vZLzpQpjHIcsDk3r3M= X-Received: by 2002:a17:90a:17ab:: with SMTP id q40mr1483577pja.106.1568670645066; Mon, 16 Sep 2019 14:50:45 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> In-Reply-To: <87ef0grneg.fsf@gnus.org> From: Stefan Kangas Date: Mon, 16 Sep 2019 23:50:33 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Lars Ingebrigtsen Content-Type: multipart/mixed; boundary="00000000000091ba7b0592b29828" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --00000000000091ba7b0592b29828 Content-Type: text/plain; charset="UTF-8" Lars Ingebrigtsen writes: > Looks good. Thanks. As I was playing around with this a bit more, I also came up with another patch (attached) to be committed on top of the first one. This patch adds tests and makes some minor doc fixes. Best regards, Stefan Kangas --00000000000091ba7b0592b29828 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Disposition: attachment; filename="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k0mxw7yt0 RnJvbSA2NGJhOTVkZDU2NGYyMjkxMGI0OGY4NjQ0ZGI0MDEzZjlmZTY1ZWIxIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDIzOjM5OjU4ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g QWRkIHRlc3RzIGZvciBzZWN1cmUtaGFzaCBhbmQgaW1wcm92ZSBkb2Mgc3RyaW5nCgoqIHNyYy9m bnMuYyAoRnNlY3VyZV9oYXNoX2FsZ29yaXRobXMpOiBGaXggdHlwby4KKEZzZWN1cmVfaGFzaCk6 IEFkZCBhbGdvcml0aG0gbGlzdCB0byBkb2Mgc3RyaW5nLgoqIHRlc3Qvc3JjL2Zucy10ZXN0cy5l bCAodGVzdC1zZWN1cmUtaGFzaCk6IE5ldyB0ZXN0LgotLS0KIHNyYy9mbnMuYyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAxMSArKysrKysrKysrLQogLi4uL2VtYWNz LWxpc3AvcGFja2FnZS1yZXNvdXJjZXMvYXJjaGl2ZS1jb250ZW50cyB8ICA1ICsrKystCiB0ZXN0 L3NyYy9mbnMtdGVzdHMuZWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgMTUgKysrKysr KysrKysrKysrCiAzIGZpbGVzIGNoYW5nZWQsIDI5IGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25z KC0pCgpkaWZmIC0tZ2l0IGEvc3JjL2Zucy5jIGIvc3JjL2Zucy5jCmluZGV4IGRmOTIxZTI4ZjMu LjVmNTNlNTk2YTEgMTAwNjQ0Ci0tLSBhL3NyYy9mbnMuYworKysgYi9zcmMvZm5zLmMKQEAgLTUw ODQsNyArNTA4NCw3IEBAIG1ha2VfZGlnZXN0X3N0cmluZyAoTGlzcF9PYmplY3QgZGlnZXN0LCBp bnQgZGlnZXN0X3NpemUpCiAKIERFRlVOICgic2VjdXJlLWhhc2gtYWxnb3JpdGhtcyIsIEZzZWN1 cmVfaGFzaF9hbGdvcml0aG1zLAogICAgICAgIFNzZWN1cmVfaGFzaF9hbGdvcml0aG1zLCAwLCAw LCAwLAotICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBg c2VjdXJlX2hhc2gnIGFsZ29yaXRobXMuICovKQorICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlz dCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJlLWhhc2gnIGFsZ29yaXRobXMuICovKQogICAo dm9pZCkKIHsKICAgcmV0dXJuIGxpc3QgKFFtZDUsIFFzaGExLCBRc2hhMjI0LCBRc2hhMjU2LCBR c2hhMzg0LCBRc2hhNTEyKTsKQEAgLTUzOTAsNiArNTM5MCwxNSBAQCBERUZVTiAoInNlY3VyZS1o YXNoIiwgRnNlY3VyZV9oYXNoLCBTc2VjdXJlX2hhc2gsIDIsIDUsIDAsCiBBTEdPUklUSE0gaXMg YSBzeW1ib2wgc3BlY2lmeWluZyB0aGUgaGFzaCB0byB1c2U6CiBtZDUsIHNoYTEsIHNoYTIyNCwg c2hhMjU2LCBzaGEzODQgb3Igc2hhNTEyLgogCitUaGVzZSBzeW1ib2xzIGNvcnJlc3BvbmRzIHRv IHRoZSBmb2xsb3dpbmcgaGFzaGluZyBhbGdvcml0aG1zOgorCisgICAgbWQ1ICAgIC0gTUQ1Cisg ICAgc2hhMSAgIC0gU0hBLTEKKyAgICBzaGEyMjQgLSBTSEEtMiAvIFNIQS0yMjQKKyAgICBzaGEy NTYgLSBTSEEtMiAvIFNIQS0zODQKKyAgICBzaGEzODQgLSBTSEEtMiAvIFNIQS0zODQKKyAgICBz aGE1MTIgLSBTSEEtMiAvIFNIQS01MTIKKwogVGhlIHR3byBvcHRpb25hbCBhcmd1bWVudHMgU1RB UlQgYW5kIEVORCBhcmUgcG9zaXRpb25zIHNwZWNpZnlpbmcgZm9yCiB3aGljaCBwYXJ0IG9mIE9C SkVDVCB0byBjb21wdXRlIHRoZSBoYXNoLiAgSWYgbmlsIG9yIG9taXR0ZWQsIHVzZXMgdGhlCiB3 aG9sZSBPQkpFQ1QuCmRpZmYgLS1naXQgYS90ZXN0L2xpc3AvZW1hY3MtbGlzcC9wYWNrYWdlLXJl c291cmNlcy9hcmNoaXZlLWNvbnRlbnRzIGIvdGVzdC9saXNwL2VtYWNzLWxpc3AvcGFja2FnZS1y ZXNvdXJjZXMvYXJjaGl2ZS1jb250ZW50cwppbmRleCBlMmY5MjMwNGY4Li5mYmJjZGZhNjQwIDEw MDY0NAotLS0gYS90ZXN0L2xpc3AvZW1hY3MtbGlzcC9wYWNrYWdlLXJlc291cmNlcy9hcmNoaXZl LWNvbnRlbnRzCisrKyBiL3Rlc3QvbGlzcC9lbWFjcy1saXNwL3BhY2thZ2UtcmVzb3VyY2VzL2Fy Y2hpdmUtY29udGVudHMKQEAgLTEsOSArMSwxMiBAQAorOzsgUkZDMzMzOSB0aW1lc3RhbXAKKzs7 IExhc3QtVXBkYXRlZDogMjAxNC0wMS0xNlQwNTo0MzozNS4wMDBaCiAoMQogIChzaW1wbGUtc2lu Z2xlIC4KICAgICAgICAgICAgICAgICBbKDEgMykKICAgICAgICAgICAgICAgICAgbmlsICJBIHNp bmdsZS1maWxlIHBhY2thZ2Ugd2l0aCBubyBkZXBlbmRlbmNpZXMiIHNpbmdsZQogICAgICAgICAg ICAgICAgICAoKDp1cmwgLiAiaHR0cDovL2Rvb2RsZXMuYXUiKQotICAgICAgICAgICAgICAgICAg KDprZXl3b3JkcyBxdW90ZSAoImZyb2JuaWNhdGUiKSkpXSkKKyAgICAgICAgICAgICAgICAgICg6 a2V5d29yZHMgcXVvdGUgKCJmcm9ibmljYXRlIikpCisgICAgICAgICAgICAgICAgICAoOmhhc2gg KV0pCiAgKHNpbXBsZS1kZXBlbmQgLgogICAgICAgICAgICAgICAgIFsoMSAwKQogICAgICAgICAg ICAgICAgICAoKHNpbXBsZS1zaW5nbGUgKDEgMykpKSAiQSBzaW5nbGUtZmlsZSBwYWNrYWdlIHdp dGggYSBkZXBlbmRlbmN5LiIgc2luZ2xlXSkKZGlmZiAtLWdpdCBhL3Rlc3Qvc3JjL2Zucy10ZXN0 cy5lbCBiL3Rlc3Qvc3JjL2Zucy10ZXN0cy5lbAppbmRleCA3ZDU2ZGE3N2NmLi41YmU5YTllYjdi IDEwMDY0NAotLS0gYS90ZXN0L3NyYy9mbnMtdGVzdHMuZWwKKysrIGIvdGVzdC9zcmMvZm5zLXRl c3RzLmVsCkBAIC04NTgsNCArODU4LDE5IEBAIHRlc3QtaGFzaC1mdW5jdGlvbi10aGF0LW11dGF0 ZXMtaGFzaC10YWJsZQogICAgICAgIChwdXRoYXNoIGsgayBoKSkpCiAgICAgKHNob3VsZCAoPSAx MDAgKGhhc2gtdGFibGUtY291bnQgaCkpKSkpCiAKKyhlcnQtZGVmdGVzdCB0ZXN0LXNlY3VyZS1o YXNoICgpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnbWQ1ICAgICJmb29iYXIiKSAi Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2YiKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNl Y3VyZS1oYXNoICdzaGExICAgImZvb2JhciIpICI4ODQzZDdmOTI0MTYyMTFkZTllYmI5NjNmZjRj ZTI4MTI1OTMyODc4IikpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhMjI0ICJm b29iYXIiKSAoY29uY2F0ICJkZTc2YzNlNTY3ZmNhOWQyNDZmNWY4ZDNiMmU3MDRhMyIKKyAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjhjM2M1 ZTI1ODk4OGFiNTI1Zjk0MWRiOCIpKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNlY3VyZS1oYXNoICdz aGEyNTYgImZvb2JhciIpIChjb25jYXQgImMzYWI4ZmYxMzcyMGU4YWQ5MDQ3ZGQzOTQ2NmIzYzg5 IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAiNzRlNTkyYzJmYTM4M2Q0YTM5NjA3MTRjYWVmMGM0ZjIiKSkpCisgIChzaG91bGQgKGVxdWFs IChzZWN1cmUtaGFzaCAnc2hhMzg0ICJmb29iYXIiKSAoY29uY2F0ICIzYzljMzBkOWY2NjVlNzRk NTE1Yzg0Mjk2MGQ0YTQ1MSIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgImM4M2EwMTI1ZmQzZGU3MzkyZDdiMzcyMzFhZjEwYzcyIgorICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZWE1 OGFlZGZjZGY4OWE1NzY1YmY5MDJhZjkzZWNmMDYiKSkpCisgIChzaG91bGQgKGVxdWFsIChzZWN1 cmUtaGFzaCAnc2hhNTEyICJmb29iYXIiKSAoY29uY2F0ICIwYTUwMjYxZWJkMWEzOTBmZWQyYmYz MjZmMjY3M2MxNCIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIjU1ODJhNjM0MmQ1MjMyMDQ5NzNkMDIxOTMzN2Y4MTYxIgorICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiNmE4MDY5YjAx MjU4N2NmNTYzNWY2OTI1ZjFiNTZjMzYiCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICIwMjMwYzE5YjI3MzUwMGVlMDEzZTAzMDYwMWJmMjQy NSIpKSkpCisKIChwcm92aWRlICdmbnMtdGVzdHMpCi0tIAoyLjIwLjEKCg== --00000000000091ba7b0592b29828-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 16 18:25:21 2019 Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 22:25:21 +0000 Received: from localhost ([127.0.0.1]:51272 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9zQv-0001Qc-Cf for submit@debbugs.gnu.org; Mon, 16 Sep 2019 18:25:21 -0400 Received: from quimby.gnus.org ([80.91.231.51]:40888) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1i9zQt-0001QT-4z for 37420@debbugs.gnu.org; Mon, 16 Sep 2019 18:25:19 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1i9zQp-0007Lz-Oq; Tue, 17 Sep 2019 00:25:18 +0200 From: Lars Ingebrigtsen To: Stefan Kangas Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> Date: Tue, 17 Sep 2019 00:25:15 +0200 In-Reply-To: (Stefan Kangas's message of "Mon, 16 Sep 2019 23:50:33 +0200") Message-ID: <87d0fzq3p0.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Stefan Kangas writes: > +These symbols corresponds to the following hashing algorithms: > + > + md5 - MD5 > + sha1 - SHA-1 > + sha224 - SHA-2 / SHA-224 > + sha256 - SHA-2 / SHA-384 > + sha384 - SHA-2 / SHA-384 > + sha512 - [...] Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > +These symbols corresponds to the following hashing algorithms: > + > + md5 - MD5 > + sha1 - SHA-1 > + sha224 - SHA-2 / SHA-224 > + sha256 - SHA-2 / SHA-384 > + sha384 - SHA-2 / SHA-384 > + sha512 - SHA-2 / SHA-512 I'm not sure these really clarify all that much? But I don't object to it. [...] > --- a/test/lisp/emacs-lisp/package-resources/archive-contents > +++ b/test/lisp/emacs-lisp/package-resources/archive-contents > @@ -1,9 +1,12 @@ > +;; RFC3339 timestamp > +;; Last-Updated: 2014-01-16T05:43:35.000Z > (1 > (simple-single . > [(1 3) > nil "A single-file package with no dependencies" single > ((:url . "http://doodles.au") > - (:keywords quote ("frobnicate")))]) > + (:keywords quote ("frobnicate")) > + (:hash )]) Hm... is this related? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 01:51:00 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 05:51:00 +0000 Received: from localhost ([127.0.0.1]:51498 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA6OB-0004ER-Nd for submit@debbugs.gnu.org; Tue, 17 Sep 2019 01:50:59 -0400 Received: from eggs.gnu.org ([209.51.188.92]:54304) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA6O9-0004E3-J2 for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 01:50:58 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35769) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iA6O4-00070f-Bc; Tue, 17 Sep 2019 01:50:52 -0400 Received: from [176.228.60.248] (port=3486 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iA6O3-0002IO-Q7; Tue, 17 Sep 2019 01:50:52 -0400 Date: Tue, 17 Sep 2019 08:50:49 +0300 Message-Id: <83r24fwjwm.fsf@gnu.org> From: Eli Zaretskii To: Lars Ingebrigtsen In-reply-to: <87ef0grneg.fsf@gnus.org> (message from Lars Ingebrigtsen on Mon, 16 Sep 2019 22:34:15 +0200) Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37420 Cc: stefan@marxist.se, 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Lars Ingebrigtsen > Date: Mon, 16 Sep 2019 22:34:15 +0200 > Cc: 37420@debbugs.gnu.org > > Stefan Kangas writes: > > > (I also changed so the doc strings consistently say SHA-1 instead of > > SHA1, which seems to be more correct AFAICT.) > > Yup. Should we perhaps do something to help those who know this under the name "SHA1"? From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 02:05:19 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 06:05:19 +0000 Received: from localhost ([127.0.0.1]:51506 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA6c3-0004dI-CE for submit@debbugs.gnu.org; Tue, 17 Sep 2019 02:05:19 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55362) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA6c1-0004d4-3Q for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 02:05:17 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:35878) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iA6bv-0006VN-UJ; Tue, 17 Sep 2019 02:05:11 -0400 Received: from [176.228.60.248] (port=4362 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iA6bu-00038h-Q6; Tue, 17 Sep 2019 02:05:11 -0400 Date: Tue, 17 Sep 2019 09:05:09 +0300 Message-Id: <83muf3wj8q.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-reply-to: (message from Stefan Kangas on Mon, 16 Sep 2019 23:50:33 +0200) Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37420 Cc: larsi@gnus.org, 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Mon, 16 Sep 2019 23:50:33 +0200 > Cc: 37420@debbugs.gnu.org > > +These symbols corresponds to the following hashing algorithms: > + > + md5 - MD5 > + sha1 - SHA-1 > + sha224 - SHA-2 / SHA-224 > + sha256 - SHA-2 / SHA-384 > + sha384 - SHA-2 / SHA-384 > + sha512 - SHA-2 / SHA-512 Please always use "--" to imply an em-dash in plain text. In this case, perhaps an even better way would be to explicitly say "corresponds to". Thanks. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 05:09:44 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 09:09:44 +0000 Received: from localhost ([127.0.0.1]:51620 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA9UW-0003CJ-DI for submit@debbugs.gnu.org; Tue, 17 Sep 2019 05:09:44 -0400 Received: from mail-pf1-f182.google.com ([209.85.210.182]:36260) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA9UU-0003C6-Bl for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 05:09:43 -0400 Received: by mail-pf1-f182.google.com with SMTP id y22so1784758pfr.3 for <37420@debbugs.gnu.org>; Tue, 17 Sep 2019 02:09:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kW1Q4VwIQgjo+fOZ2wqspKlsmlZdPpeCEJsX6iu0yIM=; b=qEP+CX1nULSwP3rPuu0f+ZY0DxmLXdk5gjy3Fy5upNVRyzarf2KUXDwJR9+FmqhQC5 I41f/TZfucXpUnvzR/9S79pzpYVAgrs9NCVf+qElfays0+9u36yQ6XCXX3lCCRfBNFIu kP7LtObhDyukkPMFSdFAI6iIHRoKC58mUecEWbvsUR+lAtzhHYes1ahw7XqkoNGCIfKG NK2FkbJernOVfFtm30f+FRze5uDU+aMncAk6noXT9ZVFMzI0pFNjoCEGOhDj4uVrjRuv U1A9AdJYMT5wVVIRCNZO9tEc+NCLIxRbaq5ihF8G3xZrVOJuiNAZRx9o2N24oATLFX1e q8Kw== X-Gm-Message-State: APjAAAXkYHgzjhFxdC+9IkqL6mGT9kz3zlW/audtC8c4QjMtbFFRL+/p aI0gHJfNDNl3+6PC3+vnqAgGjbbmr8Y1TrJYB+UvgQ== X-Google-Smtp-Source: APXvYqy/M0fLjVjij/HLfbegTZiFUW+ys3qPv/89FnFws9yLcBci0jT6DIepggaXVn+S7poBOJJJb60HthTbYcRBQ5I= X-Received: by 2002:a17:90a:17ab:: with SMTP id q40mr3901247pja.106.1568711376290; Tue, 17 Sep 2019 02:09:36 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83r24fwjwm.fsf@gnu.org> In-Reply-To: <83r24fwjwm.fsf@gnu.org> From: Stefan Kangas Date: Tue, 17 Sep 2019 11:09:25 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420 Cc: Lars Ingebrigtsen , 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Eli Zaretskii writes: > > > (I also changed so the doc strings consistently say SHA-1 instead of > > > SHA1, which seems to be more correct AFAICT.) > > > > Yup. > > Should we perhaps do something to help those who know this under the > name "SHA1"? Is there any risk that some users believe that these would be two different algorithms? My guess would be no, but I might be wrong. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 05:18:06 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 09:18:06 +0000 Received: from localhost ([127.0.0.1]:51634 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA9ca-0003PQ-7t for submit@debbugs.gnu.org; Tue, 17 Sep 2019 05:18:06 -0400 Received: from mail-pf1-f177.google.com ([209.85.210.177]:33341) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iA9cX-0003Ov-Li for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 05:18:02 -0400 Received: by mail-pf1-f177.google.com with SMTP id q10so1810032pfl.0 for <37420@debbugs.gnu.org>; Tue, 17 Sep 2019 02:18:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dbU40E+ynjxtJk37SrfT4zhnnuS2CN7IUHZnR1FIzN0=; b=HdFyUDhdKucUz4QdANDgKp00IOZVvdk90QmQ688oIjGk95njJ1tYZR66TNru8aJYRP SUlGJL2NXm5TaIF/ULylY5/2rXzokqiK30BTbMsyGoMtWrd7geDdZinY8Hxf4fMa6mTQ R9Dt70A5o+DGwiHV6v3GT9XoRtar2IxcWC53J1Ku7tKlHYgxHu2Ab9fX6C/vEBLEQ+pd R8dhJ0XXfXpg8oTzIgsVuyGxQ6GZyN9/EHoRF3Msc0ZMTsWxEIBoDB6I66ads6tgS1kp CrRDZcZR+IN3BFDKyUqTjhZ85r/7wM9ZWC5/xEsdwXFzUYN+uXJocW03F1ubA1fBiP3u aJ/Q== X-Gm-Message-State: APjAAAWTxHEs8XpEswqhfaY7cYrrKqmjbeNrzT9goERQNNuRcYuzKkpX YVN4KB8St+V14f6IEWgnmSNcSLSZ4p/jjt/Ax4g= X-Google-Smtp-Source: APXvYqznZsxuCusRDQ10cGb7YL4sMnH+RuAbGQ1ad1LhvpxKqFEjodPu4VNLWa1Q5pqtnyYdhfUZKIcV6l8VvlX6ty4= X-Received: by 2002:a63:69c1:: with SMTP id e184mr2287766pgc.198.1568711875796; Tue, 17 Sep 2019 02:17:55 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <87d0fzq3p0.fsf@gnus.org> In-Reply-To: <87d0fzq3p0.fsf@gnus.org> From: Stefan Kangas Date: Tue, 17 Sep 2019 11:17:44 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Lars Ingebrigtsen Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Lars Ingebrigtsen writes: > > +These symbols corresponds to the following hashing algorithms: > > + > > + md5 - MD5 > > + sha1 - SHA-1 > > + sha224 - SHA-2 / SHA-224 > > + sha256 - SHA-2 / SHA-384 > > + sha384 - SHA-2 / SHA-384 > > + sha512 - SHA-2 / SHA-512 > > I'm not sure these really clarify all that much? But I don't object to > it. They would help people like me who don't use this stuff very often and can't remember which one is SHA-1, SHA-2, SHA-3, etc. Of course, one could expect users to fire up a web browser and search the web for details instead. But as it stands, we don't document anywhere that sha512 is indeed SHA-2 as far as I can tell. > > --- a/test/lisp/emacs-lisp/package-resources/archive-contents [...] > Hm... is this related? No, please disregard that. I fixed it but then attached the wrong patch to the email. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 07:53:28 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 11:53:28 +0000 Received: from localhost ([127.0.0.1]:51707 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iAC2y-0002r2-20 for submit@debbugs.gnu.org; Tue, 17 Sep 2019 07:53:28 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50064) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iAC2w-0002qq-6M for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 07:53:26 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:39756) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1iAC2q-0006RU-JW; Tue, 17 Sep 2019 07:53:20 -0400 Received: from [176.228.60.248] (port=2197 helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1iAC2p-00082k-Ot; Tue, 17 Sep 2019 07:53:20 -0400 Date: Tue, 17 Sep 2019 14:53:18 +0300 Message-Id: <83a7b3w34h.fsf@gnu.org> From: Eli Zaretskii To: Stefan Kangas In-reply-to: (message from Stefan Kangas on Tue, 17 Sep 2019 11:09:25 +0200) Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83r24fwjwm.fsf@gnu.org> X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 37420 Cc: larsi@gnus.org, 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > From: Stefan Kangas > Date: Tue, 17 Sep 2019 11:09:25 +0200 > Cc: Lars Ingebrigtsen , 37420@debbugs.gnu.org > > > Should we perhaps do something to help those who know this under the > > name "SHA1"? > > Is there any risk that some users believe that these would be two > different algorithms? My guess would be no, but I might be wrong. I have no idea, but I personally didn't even know SHA1 has another name, let alone a more "official" one. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 08:09:12 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 12:09:12 +0000 Received: from localhost ([127.0.0.1]:51754 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iACIC-0005LQ-47 for submit@debbugs.gnu.org; Tue, 17 Sep 2019 08:09:12 -0400 Received: from mail-pf1-f179.google.com ([209.85.210.179]:40229) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iACI9-0005L9-6r for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 08:09:10 -0400 Received: by mail-pf1-f179.google.com with SMTP id x127so2046480pfb.7 for <37420@debbugs.gnu.org>; Tue, 17 Sep 2019 05:09:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qn7HxQ9VxYIuvItncW8TYfeme400rHSr3uX0/BJb1K0=; b=sAB6God7+yofu+xfprorQ1htpUlwBPlS/swLQ2+zwjQ58QgL5K9UKHF6dDTCShLOG3 +uPQac3P7BEKtoU7AZQ5+C2h99sqi6UVHrAG73IS2iULczDMU3W21woXW4WQw73T6cqn qlwov5vdcWMqvuyMuIlLaDFHARDLwHbMV5X1S0OH2ko+drVP+Y0YP2vh9xClGGkD2i57 zgwLyxA03iE22QC2HB9Wj96891CqF6LF89jVZTEp7CnTadN5FIndMq5/HAOxu+TH7+IE 5cGnj/1pqVLHITFaZ8QJI/BmF+DpUuI1sZXXb1kE7R5CCfbO3BvB7I2SJhx9X8eFfj/B EI1Q== X-Gm-Message-State: APjAAAXgdaGsEHm7ysgF9mjnfCfG3zpmJ/UBS8pOiNsqTX6NmSFZ1gkX 5nkZBgX+vcPOZET45/CsFHz3c+Ib5tfCSZWNHy8= X-Google-Smtp-Source: APXvYqzTrVsn3Ma28TFooV3JEuiBTKQ2luoS9hks6Lqmya2HVW7PZYruESnwQb92uRRD3Bgm1fwNI0EPhPzB0GFB5ZI= X-Received: by 2002:aa7:8009:: with SMTP id j9mr2266976pfi.107.1568722143372; Tue, 17 Sep 2019 05:09:03 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83r24fwjwm.fsf@gnu.org> <83a7b3w34h.fsf@gnu.org> In-Reply-To: <83a7b3w34h.fsf@gnu.org> From: Stefan Kangas Date: Tue, 17 Sep 2019 14:08:51 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: 37420 Cc: Lars Ingebrigtsen , 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.6 (/) Eli Zaretskii writes: > > > Should we perhaps do something to help those who know this under the > > > name "SHA1"? > > > > Is there any risk that some users believe that these would be two > > different algorithms? My guess would be no, but I might be wrong. > > I have no idea, but I personally didn't even know SHA1 has another > name, let alone a more "official" one. This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174 Perhaps SHA1 is just a common typo? Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 08:14:58 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 12:14:58 +0000 Received: from localhost ([127.0.0.1]:51766 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iACNm-0005U2-5d for submit@debbugs.gnu.org; Tue, 17 Sep 2019 08:14:58 -0400 Received: from mail-pg1-f175.google.com ([209.85.215.175]:42353) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iACNk-0005Tn-Pj for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 08:14:57 -0400 Received: by mail-pg1-f175.google.com with SMTP id z12so1925397pgp.9 for <37420@debbugs.gnu.org>; Tue, 17 Sep 2019 05:14:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UCJvaKcDYjCb4zh6yMYqUvk27LTc1ibW8UOJI/P5aRY=; b=G123pONmHlqJQjVWmWc7R6tHwygNZKKF72eShRCoUS/ZuOXoGeW4Uv8Rqp/AqFrA4k MhTgqARJ0pRUOGz0jfe43MwV0fknKYcAHJy3s2wpSTinqWRZCNNtFHJY+mJQX/p7eFTY GjRcQMoHuZQXpCbI83FgKFtoqpwuH30uGSh2++2A+zvMVTTInywR7ARwopVHyTXINiOH ahpqJpUIMUP8+pHg7GbbIAq6nSlQ9EB3lj0fpuOM2p7LFHpDCRio5cIEsQB54wwL9kz6 C8K4NS3jBIMwbq3O8i0XGKAbDuUg6Wmb735+N6f/jGeVab43N5oyg0O0M8CxYc8uB7EC lkng== X-Gm-Message-State: APjAAAVbqOSRFUeazS9frRFWIpkzY8JfjX72mii09X3765Rcol8PNtTs eAi+VCGu0/s2dOElXSCgh5hZZ39PwTGLIgOPAOU= X-Google-Smtp-Source: APXvYqxGXahArx8JsqW0046Q7wC7Q+YnMnWRgcgfzzTQxWf03i1fSty331UuLp3AWLOiRm6lkOyiBOtk2ZUees4sPa8= X-Received: by 2002:aa7:8009:: with SMTP id j9mr2297289pfi.107.1568722490963; Tue, 17 Sep 2019 05:14:50 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83r24fwjwm.fsf@gnu.org> <83a7b3w34h.fsf@gnu.org> In-Reply-To: From: Stefan Kangas Date: Tue, 17 Sep 2019 14:14:39 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Eli Zaretskii Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: 37420 Cc: Lars Ingebrigtsen , 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.6 (/) Stefan Kangas writes: > This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174 Taking a closer look, they actually use "SHA1" in the document headline, but "SHA-1" in the body text. So it's a bit of a mess. I guess the important thing is that we use one spelling consistently to avoid confusing users even more. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 17 09:37:54 2019 Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 13:37:54 +0000 Received: from localhost ([127.0.0.1]:51851 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iADg1-0003Bu-VF for submit@debbugs.gnu.org; Tue, 17 Sep 2019 09:37:54 -0400 Received: from mail-ed1-f46.google.com ([209.85.208.46]:46465) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iADg0-0003Bg-AI for 37420@debbugs.gnu.org; Tue, 17 Sep 2019 09:37:52 -0400 Received: by mail-ed1-f46.google.com with SMTP id t3so1147289edw.13 for <37420@debbugs.gnu.org>; Tue, 17 Sep 2019 06:37:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list :date:in-reply-to:message-id:mime-version; bh=RHZCFEDuUCTFVQXeuwtws4p9LiDCBucq9gaAMf5hZ24=; b=b6K3H0Ajuqgo8cbbStw9juGb4u4PxyqgPmRrnMy6uMJ/X/Sgy+noUYVq7GZpSX397m DFd+nbuaI/bgVnWCgtHOLuKRpYPDYZQp9aGhxE1ij45KoeXk3U3zfSSeQ5s/eCrcnL38 JHTK9PX1JRIH6R/Qqkct+3QJZpg19X86vtg15dHwjkH6CHDyqIApA8URom6GpCTK7upC lBuxhbU5RcTWh10WTGvrokGpcnrUEzJls4xoWHMQZiNabFCQgco5wkL9VS33hNk2lx9l GJmgM2FFokspxG/KkSk6EH/oMsvu9/rKzSc8DhLRgCY0n3vSgJ4YT+qnj6xYR9GYmFc0 zJQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to :gmane-reply-to-list:date:in-reply-to:message-id:mime-version; bh=RHZCFEDuUCTFVQXeuwtws4p9LiDCBucq9gaAMf5hZ24=; b=X3Y6rEWl5El+EdW/B08iFdgIGWyggHwhQQ2kd2df7C3513jqhIDrSJP+ZUYj0YMdc/ yHf+NmvvITGLFVYhaTxe++aauqkTTXa0AwuKykK2Gccjtd3ZigPeuzAfJfFdtFZzgw22 6zGqSEqxFkj2WBn/ImVMvUC+Wfftl6+dBJrj74xTpnpDGUwBnebhWipdcWg7ixtojtHW UtLMQ/O35rxHVIBOx/TX8Ox2U6giyUm2YUp6y4khKCZM/Rl6OAL53PWkJq4Gd/4bIGV6 LI/JadwcaO5ELob2RKpx6bakBdw2Fs7rAkZ6P6oXxWYXzvpxxeM+QuUqXaPJFkzd5SUW tUyA== X-Gm-Message-State: APjAAAUIugyOUu7m7wYNfTle6dX2yRLn4iJYA+FFLZ7bpnwKI3i1Crwk AZhkLpZ85wgdMcXTujp4RWAJ5CK+ X-Google-Smtp-Source: APXvYqzJmsoW0C4dXDlSqDd8SGyN1125dxE7tuZ+xfAK7IXH8qbDudZX6AYpqSLA7hPUZzHCCIGafw== X-Received: by 2002:a50:f0db:: with SMTP id a27mr4675735edm.17.1568727466120; Tue, 17 Sep 2019 06:37:46 -0700 (PDT) Received: from rpluim-mac ([149.5.228.1]) by smtp.gmail.com with ESMTPSA id i24sm436096eds.27.2019.09.17.06.37.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Sep 2019 06:37:45 -0700 (PDT) From: Robert Pluim To: Stefan Kangas Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83muf3wj8q.fsf@gnu.org> X-Debbugs-No-Ack: yes Mail-Copies-To: never Gmane-Reply-To-List: yes Date: Tue, 17 Sep 2019 15:37:44 +0200 In-Reply-To: <83muf3wj8q.fsf@gnu.org> (Eli Zaretskii's message of "Tue, 17 Sep 2019 09:05:09 +0300") Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37420 Cc: Eli Zaretskii , larsi@gnus.org, 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) >>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii said: >> From: Stefan Kangas >> Date: Mon, 16 Sep 2019 23:50:33 +0200 >> Cc: 37420@debbugs.gnu.org >> >> +These symbols corresponds to the following hashing algorithms: >> + >> + md5 - MD5 >> + sha1 - SHA-1 >> + sha224 - SHA-2 / SHA-224 >> + sha256 - SHA-2 / SHA-384 >> + sha384 - SHA-2 / SHA-384 >> + sha512 - SHA-2 / SHA-512 Eli> Please always use "--" to imply an em-dash in plain text. In this Eli> case, perhaps an even better way would be to explicitly say Eli> "corresponds to". You have sha256 -> SHA-384 Robert From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 20 14:51:19 2019 Received: (at 37420) by debbugs.gnu.org; 20 Sep 2019 18:51:19 +0000 Received: from localhost ([127.0.0.1]:58500 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iBNzz-00051X-5O for submit@debbugs.gnu.org; Fri, 20 Sep 2019 14:51:19 -0400 Received: from mail-pf1-f182.google.com ([209.85.210.182]:34365) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iBNzx-00051E-09 for 37420@debbugs.gnu.org; Fri, 20 Sep 2019 14:51:18 -0400 Received: by mail-pf1-f182.google.com with SMTP id b128so5114302pfa.1 for <37420@debbugs.gnu.org>; Fri, 20 Sep 2019 11:51:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QnEft4YM923wTYICbaNNSssDxWH/70R7TzGt7h6Vte0=; b=LJ9pCl+qb75VpkdVvP0QCw0l9g8vorF7C9reWj/OB1PqyDYRGXNWxgXf2DkH7efU6H l6cvk3oEhIp8+HYaV0UeQ+UXXKQCEn2JNoK1cPFTnba49EUohPynMfUOJq3xvOb3RNUA s8YtTiHahM3hlXtgZcPvjGdfOhnE7zQ7YvhhZjRogi0unf2qaRgouE5qE+NIaP5feqQv KEoBkRmjSdgh379xoCsQveIRQbrUlXbP/zkRPml4VMLchBUayl4EZHONw3gjEgYpsP6u Q+mqsovyzYwYfaSXbHrjurc7PKexiPzQQZdgtNFX1177v1fIeNTIUPvfAnRg9ZKYJPsF i+GQ== X-Gm-Message-State: APjAAAUoNZFu1pbseADZ7AmbY8WaX8kgCL4/zXL7UKlMLwDn2uW3UBou KMu7RcV3q2R1JagvwpP+Qdu2/vU0X4iovElWVt0= X-Google-Smtp-Source: APXvYqwNRoHLEUiFAas4oRvL3jStkTMbUEMnHI0bPmx7zT+I2pOWdAC3PbpjQ9mRhNon/POCOkkNjYXZrTvJBE1LVbg= X-Received: by 2002:a63:4c5c:: with SMTP id m28mr17511639pgl.333.1569005470787; Fri, 20 Sep 2019 11:51:10 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> In-Reply-To: <87ef0grneg.fsf@gnus.org> From: Stefan Kangas Date: Fri, 20 Sep 2019 20:50:59 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Lars Ingebrigtsen Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.4 (/) X-Debbugs-Envelope-To: 37420 Cc: 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.6 (/) Lars Ingebrigtsen writes: > > +Note that SHA-1 is not collision resistant and should not be used > > +for anything security-related. See `secure-hash' for > > +alternatives." > > Looks good. Thanks. Since there were no other comments, I've now committed this first patch as commit 6d50010b34. I'll address the second patch in a separate email. Best regards, Stefan Kangas From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 28 06:20:16 2019 Received: (at 37420) by debbugs.gnu.org; 28 Sep 2019 10:20:16 +0000 Received: from localhost ([127.0.0.1]:49395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iE9po-0000Ar-Ea for submit@debbugs.gnu.org; Sat, 28 Sep 2019 06:20:16 -0400 Received: from mail-pl1-f179.google.com ([209.85.214.179]:45202) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iE9pn-0000Ab-71 for 37420@debbugs.gnu.org; Sat, 28 Sep 2019 06:20:15 -0400 Received: by mail-pl1-f179.google.com with SMTP id u12so2022966pls.12 for <37420@debbugs.gnu.org>; Sat, 28 Sep 2019 03:20:15 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R7u8RFFmHi3ouMSY7U6lldszzJSlz2ds45tmNlSnkOQ=; b=Cobs6qKjHqemkWKhFLUYzbYQ5xQjiQJ4GHO+COg6wxWdkRcymLNXIj5W+NLUj1nntN iYOKku+OxeQpkBDAvYWTMCxuSs24D/Bm9Xy5m7vNPtq3wV9Sf8Wqj8ghYNqkTKAb4+6z 9dJYO21U/48FuuHKK697jkDy80rqTOpeuKT1jNJ6CIjFm0AO8Y0jQu06YsK5maTdZWj0 YTyXfc4HZYPv1nCKncOG3mS4wUY7Qmvqqr5TCF2fzAKT15+yV8K5c3ziDkWLJkNCoins fHTJm2R9OCvp5zXkbveH9C2zPxpCrb4RgWce7H/rZJSV5u2T8WRy662ftXLZeH9uEPrI 3/eA== X-Gm-Message-State: APjAAAWh9WQaLTa9I9l/9FBCCg8daQqZY1LJB1zYLPmZDZH+ujwJ5hCU Y2RXeEJlmbLXQfSETQv9QVZcr9A7f39x3FqO/5g= X-Google-Smtp-Source: APXvYqy/DhIm3J2sIg7pRpGP7VJCL+g2Y20lTeaY4OnRk8hK9VKnqDhkASnwJ7JWfe8/zXtOgXwd97m1803wbnSk1wk= X-Received: by 2002:a17:902:326:: with SMTP id 35mr10027325pld.128.1569666009472; Sat, 28 Sep 2019 03:20:09 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83muf3wj8q.fsf@gnu.org> In-Reply-To: From: Stefan Kangas Date: Sat, 28 Sep 2019 12:19:58 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Robert Pluim Content-Type: multipart/mixed; boundary="000000000000e9a0d005939a58b2" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420 Cc: Eli Zaretskii , Lars Ingebrigtsen , 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --000000000000e9a0d005939a58b2 Content-Type: text/plain; charset="UTF-8" Robert Pluim writes: > >>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii said: > > >> From: Stefan Kangas > >> Date: Mon, 16 Sep 2019 23:50:33 +0200 > >> Cc: 37420@debbugs.gnu.org > >> > >> +These symbols corresponds to the following hashing algorithms: > >> + > >> + md5 - MD5 > >> + sha1 - SHA-1 > >> + sha224 - SHA-2 / SHA-224 > >> + sha256 - SHA-2 / SHA-384 > >> + sha384 - SHA-2 / SHA-384 > >> + sha512 - SHA-2 / SHA-512 > > Eli> Please always use "--" to imply an em-dash in plain text. In this > Eli> case, perhaps an even better way would be to explicitly say > Eli> "corresponds to". > > You have sha256 -> SHA-384 Thanks Eli and Robert. How about the attached patch? Best regards, Stefan Kangas --000000000000e9a0d005939a58b2 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Disposition: attachment; filename="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_k13eljby0 RnJvbSA2MzQ1N2QxOWQ3NmYxMTc5N2Q0NTU0MDhiYTg0MGQ4YzA0YTk0NThlIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDIzOjQyOjU2ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g QWRkIHRlc3RzIGZvciBzZWN1cmUtaGFzaCBhbmQgaW1wcm92ZSBkb2Mgc3RyaW5nCgoqIHNyYy9m bnMuYyAoRnNlY3VyZV9oYXNoX2FsZ29yaXRobXMpOiBGaXggdHlwby4KKEZzZWN1cmVfaGFzaCk6 IEFkZCBhbGdvcml0aG0gbGlzdCB0byBkb2Mgc3RyaW5nLgoqIHRlc3Qvc3JjL2Zucy10ZXN0cy5l bCAodGVzdC1zZWN1cmUtaGFzaCk6IE5ldyB0ZXN0LgotLS0KIHNyYy9mbnMuYyAgICAgICAgICAg ICB8ICA5ICsrKysrKystLQogdGVzdC9zcmMvZm5zLXRlc3RzLmVsIHwgMTUgKysrKysrKysrKysr KysrCiAyIGZpbGVzIGNoYW5nZWQsIDIyIGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25zKC0pCgpk aWZmIC0tZ2l0IGEvc3JjL2Zucy5jIGIvc3JjL2Zucy5jCmluZGV4IGI4MDBmMWM0N2YuLmZhNTJl NWUxOTcgMTAwNjQ0Ci0tLSBhL3NyYy9mbnMuYworKysgYi9zcmMvZm5zLmMKQEAgLTUwODEsNyAr NTA4MSw3IEBAIG1ha2VfZGlnZXN0X3N0cmluZyAoTGlzcF9PYmplY3QgZGlnZXN0LCBpbnQgZGln ZXN0X3NpemUpCiAKIERFRlVOICgic2VjdXJlLWhhc2gtYWxnb3JpdGhtcyIsIEZzZWN1cmVfaGFz aF9hbGdvcml0aG1zLAogICAgICAgIFNzZWN1cmVfaGFzaF9hbGdvcml0aG1zLCAwLCAwLCAwLAot ICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJl X2hhc2gnIGFsZ29yaXRobXMuICovKQorICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBh bGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJlLWhhc2gnIGFsZ29yaXRobXMuICovKQogICAodm9pZCkK IHsKICAgcmV0dXJuIGxpc3QgKFFtZDUsIFFzaGExLCBRc2hhMjI0LCBRc2hhMjU2LCBRc2hhMzg0 LCBRc2hhNTEyKTsKQEAgLTUzODgsNyArNTM4OCwxMiBAQCBERUZVTiAoIm1kNSIsIEZtZDUsIFNt ZDUsIDEsIDUsIDAsCiBERUZVTiAoInNlY3VyZS1oYXNoIiwgRnNlY3VyZV9oYXNoLCBTc2VjdXJl X2hhc2gsIDIsIDUsIDAsCiAgICAgICAgZG9jOiAvKiBSZXR1cm4gdGhlIHNlY3VyZSBoYXNoIG9m IE9CSkVDVCwgYSBidWZmZXIgb3Igc3RyaW5nLgogQUxHT1JJVEhNIGlzIGEgc3ltYm9sIHNwZWNp ZnlpbmcgdGhlIGhhc2ggdG8gdXNlOgotbWQ1LCBzaGExLCBzaGEyMjQsIHNoYTI1Niwgc2hhMzg0 IG9yIHNoYTUxMi4KKy0gbWQ1ICAgIGNvcnJlc3BvbmRzIHRvIE1ENQorLSBzaGExICAgY29ycmVz cG9uZHMgdG8gU0hBLTEKKy0gc2hhMjI0IGNvcnJlc3BvbmRzIHRvIFNIQS0yIChTSEEtMjI0KQor LSBzaGEyNTYgY29ycmVzcG9uZHMgdG8gU0hBLTIgKFNIQS0yNTYpCistIHNoYTM4NCBjb3JyZXNw b25kcyB0byBTSEEtMiAoU0hBLTM4NCkKKy0gc2hhNTEyIGNvcnJlc3BvbmRzIHRvIFNIQS0yIChT SEEtNTEyKQogCiBUaGUgdHdvIG9wdGlvbmFsIGFyZ3VtZW50cyBTVEFSVCBhbmQgRU5EIGFyZSBw b3NpdGlvbnMgc3BlY2lmeWluZyBmb3IKIHdoaWNoIHBhcnQgb2YgT0JKRUNUIHRvIGNvbXB1dGUg dGhlIGhhc2guICBJZiBuaWwgb3Igb21pdHRlZCwgdXNlcyB0aGUKZGlmZiAtLWdpdCBhL3Rlc3Qv c3JjL2Zucy10ZXN0cy5lbCBiL3Rlc3Qvc3JjL2Zucy10ZXN0cy5lbAppbmRleCA3ZDU2ZGE3N2Nm Li41YmU5YTllYjdiIDEwMDY0NAotLS0gYS90ZXN0L3NyYy9mbnMtdGVzdHMuZWwKKysrIGIvdGVz dC9zcmMvZm5zLXRlc3RzLmVsCkBAIC04NTgsNCArODU4LDE5IEBAIHRlc3QtaGFzaC1mdW5jdGlv bi10aGF0LW11dGF0ZXMtaGFzaC10YWJsZQogICAgICAgIChwdXRoYXNoIGsgayBoKSkpCiAgICAg KHNob3VsZCAoPSAxMDAgKGhhc2gtdGFibGUtY291bnQgaCkpKSkpCiAKKyhlcnQtZGVmdGVzdCB0 ZXN0LXNlY3VyZS1oYXNoICgpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnbWQ1ICAg ICJmb29iYXIiKSAiMzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2YiKSkKKyAgKHNob3Vs ZCAoZXF1YWwgKHNlY3VyZS1oYXNoICdzaGExICAgImZvb2JhciIpICI4ODQzZDdmOTI0MTYyMTFk ZTllYmI5NjNmZjRjZTI4MTI1OTMyODc4IikpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFz aCAnc2hhMjI0ICJmb29iYXIiKSAoY29uY2F0ICJkZTc2YzNlNTY3ZmNhOWQyNDZmNWY4ZDNiMmU3 MDRhMyIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIjhjM2M1ZTI1ODk4OGFiNTI1Zjk0MWRiOCIpKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNl Y3VyZS1oYXNoICdzaGEyNTYgImZvb2JhciIpIChjb25jYXQgImMzYWI4ZmYxMzcyMGU4YWQ5MDQ3 ZGQzOTQ2NmIzYzg5IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAiNzRlNTkyYzJmYTM4M2Q0YTM5NjA3MTRjYWVmMGM0ZjIiKSkpCisgIChz aG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhMzg0ICJmb29iYXIiKSAoY29uY2F0ICIzYzlj MzBkOWY2NjVlNzRkNTE1Yzg0Mjk2MGQ0YTQ1MSIKKyAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImM4M2EwMTI1ZmQzZGU3MzkyZDdiMzcyMzFh ZjEwYzcyIgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAiZWE1OGFlZGZjZGY4OWE1NzY1YmY5MDJhZjkzZWNmMDYiKSkpCisgIChzaG91bGQg KGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhNTEyICJmb29iYXIiKSAoY29uY2F0ICIwYTUwMjYxZWJk MWEzOTBmZWQyYmYzMjZmMjY3M2MxNCIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIjU1ODJhNjM0MmQ1MjMyMDQ5NzNkMDIxOTMzN2Y4MTYx IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAiNmE4MDY5YjAxMjU4N2NmNTYzNWY2OTI1ZjFiNTZjMzYiCisgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIwMjMwYzE5YjI3MzUwMGVlMDEz ZTAzMDYwMWJmMjQyNSIpKSkpCisKIChwcm92aWRlICdmbnMtdGVzdHMpCi0tIAoyLjIwLjEKCg== --000000000000e9a0d005939a58b2-- From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 28 15:55:18 2019 Received: (at 37420) by debbugs.gnu.org; 28 Sep 2019 19:55:18 +0000 Received: from localhost ([127.0.0.1]:51319 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iEIoI-0006RO-9E for submit@debbugs.gnu.org; Sat, 28 Sep 2019 15:55:18 -0400 Received: from quimby.gnus.org ([80.91.231.51]:35684) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iEIoF-0006RE-Ta for 37420@debbugs.gnu.org; Sat, 28 Sep 2019 15:55:17 -0400 Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie) by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1iEIoC-0006Nt-AM; Sat, 28 Sep 2019 21:55:14 +0200 From: Lars Ingebrigtsen To: Stefan Kangas Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83muf3wj8q.fsf@gnu.org> Date: Sat, 28 Sep 2019 21:55:12 +0200 In-Reply-To: (Stefan Kangas's message of "Sat, 28 Sep 2019 12:19:58 +0200") Message-ID: <87zhiotcv3.fsf@gnus.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: Stefan Kangas writes: > Thanks Eli and Robert. How about the attached patch? Looks good to me, but one tiny thing: Content analysis details: (-2.9 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 37420 Cc: Robert Pluim , Eli Zaretskii , 37420@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Stefan Kangas writes: > Thanks Eli and Robert. How about the attached patch? Looks good to me, but one tiny thing: > +(ert-deftest test-secure-hash () > + (should (equal (secure-hash 'md5 "foobar") "3858f62230ac3c915f300c664312c63f")) > + (should (equal (secure-hash 'sha1 "foobar") "8843d7f92416211de9ebb963ff4ce28125932878")) > + (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3" > + "8c3c5e258988ab525f94 Perhaps the lines should be folded to avoid too-long lines? -- (domestic pets only, the antidote for overdose, milk.) bloggy blog: http://lars.ingebrigtsen.no From debbugs-submit-bounces@debbugs.gnu.org Fri Oct 04 11:34:15 2019 Received: (at 37420-done) by debbugs.gnu.org; 4 Oct 2019 15:34:15 +0000 Received: from localhost ([127.0.0.1]:43359 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGPax-0000pU-FT for submit@debbugs.gnu.org; Fri, 04 Oct 2019 11:34:15 -0400 Received: from mail-pl1-f172.google.com ([209.85.214.172]:36076) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iGPav-0000pG-AF for 37420-done@debbugs.gnu.org; Fri, 04 Oct 2019 11:34:13 -0400 Received: by mail-pl1-f172.google.com with SMTP id j11so3309005plk.3 for <37420-done@debbugs.gnu.org>; Fri, 04 Oct 2019 08:34:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0/Mt0GxTyxJlxRGh0KmmFGwBSynSS5+T/2Fz5KwPAHk=; b=h5i41ZN/4H7fDJxRAHM2hRBJHDgYvDdJhzLd6rhMA1WPuEdjOUW2XzYNWwn7n8Ezzi QVlHWSHPBPsZ+PEUKpddfTaQH7LgIcSv2tVX10KT3cS6kniMG21R7MkuOrLa0mY2WGIk +Zpsk9Yq+uT/zhaEIJLRL6qmdBlgsZFJvVJlfp32j9Qe5xRNs6WOrg6U6r1m+I8Vr8mf zQDBD2TTbduf3PJFyZDZoWgXh+sFTlsfiGXuwmz5FmsamySd2129UQem92ZUdbMw2PK7 AF2016SFl62XDcqmeC85a8gw8E9Zunwq0qOQ+XrJJ8j4Hg3XosZlXuszoL2r1Kdyw/Mh dsLQ== X-Gm-Message-State: APjAAAWJx5Oby38UH9Z7yJ52EiGVNkZytu2IdfTQde9F7fYecntp6Zyl hnb1PPgA22VifEmBhaaT4XeAxcc+mMeZuUMoqGA= X-Google-Smtp-Source: APXvYqwjQFC6QIhvnDi1YN236WGGw7XZwKH+otpkMDb6lhxAdoPDTRyqDd8QJcVCah1iSRxlCKLsDK5wjIq4C4qDX30= X-Received: by 2002:a17:902:326:: with SMTP id 35mr16273137pld.128.1570203247478; Fri, 04 Oct 2019 08:34:07 -0700 (PDT) MIME-Version: 1.0 References: <87v9tsv65b.fsf@gnus.org> <87ef0grneg.fsf@gnus.org> <83muf3wj8q.fsf@gnu.org> <87zhiotcv3.fsf@gnus.org> In-Reply-To: <87zhiotcv3.fsf@gnus.org> From: Stefan Kangas Date: Fri, 4 Oct 2019 17:33:54 +0200 Message-ID: Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related applications To: Lars Ingebrigtsen Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.3 (/) X-Debbugs-Envelope-To: 37420-done Cc: 37420-done@debbugs.gnu.org, Robert Pluim , Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) Lars Ingebrigtsen writes: > > Thanks Eli and Robert. How about the attached patch? > > Looks good to me, but one tiny thing: > > > +(ert-deftest test-secure-hash () > > + (should (equal (secure-hash 'md5 "foobar") "3858f62230ac3c915f300c664312c63f")) > > + (should (equal (secure-hash 'sha1 "foobar") "8843d7f92416211de9ebb963ff4ce28125932878")) > > + (should (equal (secure-hash 'sha224 "foobar") (concat "de76c3e567fca9d246f5f8d3b2e704a3" > > + "8c3c5e258988ab525f94 > > Perhaps the lines should be folded to avoid too-long lines? Thanks; fixed and pushed as commit ef8fadf8c1. Best regards, Stefan Kangas From unknown Sun Jun 22 00:40:17 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 02 Nov 2019 11:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator