On Fri, Apr 25, 2014 at 12:10:04PM -0400, Daniel Kahn Gillmor wrote: > On 04/24/2014 06:09 PM, Florian Schlichting wrote: > > Digest::Perl::MD5s has the same interface as the much faster Digest::MD5, > > but > > unlike that, it is not an interface but a Perl implementation of MD5. > > Because > > of this it is slow but it works without C-Code. You should use Digest::MD5 > > instead of this module if it is available. This module is only useful for > > > > - computers where you cannot install Digest::MD5 (e.g. lack of a > > C-Compiler) > > - encrypting only small amounts of data (less than one million bytes), > > I think the use of the term "encrypting" above should be changed to > "hashing", since MD5 is not an encryption algorithm.
I agree, that should be changed in the next upload > > libdigest-perl-md5-perl is a dependency of libspreadsheet-parseexcel-perl, > > which uses its internal state in its decryption routines and hence cannot be > > switched to use Digest::MD5 instead. It will be maintained by pkg-perl. > > huh, this seems like a weird thing to do. What part of the internal > state does libspreadsheet-parseexcel-perl need? > > is it just doing partial digests and then continuing, for example? if > so, Digest::MD5 has $md5->clone() which should support this use case. > > If it really needs access to the internal state of the digest function > for some reason, perhaps Digest::MD5 could be extended to provide that > access? I know TMTOWTDI, but introducing this implementation to debian > seems like a regression, when we know that all debian systems actually > have Digest::MD5 already. libspreadsheet-parseexcel-perl has been waiting for something like this to happen for a little over three years now, so I think it's safe to say it's not going to happen, and it's a lot easier to have an alternative implementation of the MD5 algorithm packaged, which is clearly marked as inferior and not used unless specifically requested, but available for use by libspreadsheet-parseexcel-perl. If you want to look at the details of this use of "internal state", it can be found here: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libspreadsheet-parseexcel-perl.git;a=blob;f=lib/Spreadsheet/ParseExcel.pm;h=7285783835427b592bb899578d93469f5afd8f65;hb=a828ce1458524757e2bbf74a18647d382cd8ea5a#l247 If that link doesn't work, look at lib/Spreadsheet/ParseExcel.pm and search for "Digest::Perl::MD5"; there's a sub "md5state" in a section marked "Decryption routines, based on sources of gnumeric (ms-biff.c ms-excel-read.c)", which is used from both MakeKey() and VerifyPassword(). I have to admit I don't understand what exactly it's doing there and whether or how Digest::MD5 in core could be used or patched to be useable instead; but given how easy and fast it is to just package Digest::Perl::MD5, and that I cannot see how this is going to cause any harm (apart from burdening the Debian archive with yet another package - but maybe I'm overlooking something?), I thought it safe to resolve the Spreadsheet::Parseexcel stalemate by uploading libdigest-perl-md5-perl. Florian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
