Debian Bug report logs - #630601
libnet-openid-server-perl: use Digest::SHA instead of Digest::SHA1 and drop (Build-)Depends(-Indep) on libdigest-sha1-perl

version graph

Package: src:libnet-openid-server-perl; Maintainer for src:libnet-openid-server-perl is Dominic Hargreaves <dom@earth.li>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 15 Jun 2011 13:51:09 UTC

Severity: important

Found in version libnet-openid-server-perl/1.02-1

Fixed in version libnet-openid-server-perl/1.09-1

Done: Dominic Hargreaves <dom@earth.li>

Bug is archived. No further changes may be made.

Forwarded to https://rt.cpan.org/Ticket/Display.html?id=70862

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, Dominic Hargreaves <dom@earth.li>:
Bug#630601; Package src:libnet-openid-server-perl. (Wed, 15 Jun 2011 13:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, Dominic Hargreaves <dom@earth.li>. (Wed, 15 Jun 2011 13:51:11 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libnet-openid-server-perl: use Digest::SHA instead of Digest::SHA1 and drop (Build-)Depends(-Indep) on libdigest-sha1-perl
Date: Wed, 15 Jun 2011 15:49:59 +0200
Source: libnet-openid-server-perl
Version: 1.02-1
Severity: normal
User: debian-perl@lists.debian.org
Usertags: digest-sha-perl-transition

Hi Dominic

We from the Debian Perl Group -- as you might read already -- would
like to drop libdigest-sha1-perl at some point, see [1]. Most of the
functionality (except sha1_transform) of Digest::SHA1 is also provided
by Digest::SHA.

Digest::SHA is in Perl core since version 5.9.3 and thus is in
Debian's perl since Lenny.

Changing use of Digest::SHA1 to Digest::SHA would thus reduce external
dependencies by one.

 [1] http://deb.li/digestsha

This seems indeed "fixed" in developer release upstream, or adapted upstream in
version 1.030099_001:

1.030099_001 Nov 06 2010

    * Use Crypt::DH::GMP over Crypt::DH for speed (Robert Norris)

    * Set mode and claimed_id before redirect to setup in checkid_immediate.
      Without this some implementations (Movable Type) do not have enough
      context to understand what the client is trying to do (Adam Sj����gren)

    * Fix potential timing attack when checking signatures (Adam Sj����gren)
      (see http://lists.openid.net/pipermail/openid-security/2010-July/001156.html)

    * Support HMAC-SHA256 signatures (Adam Sj����gren)
    
    * Merge get_args and post_args into single 'args' parameter. get_args &
      post_args remain as deprecated parameters (Martin Atkins, Robert Norris)

With adding support for HMAC-SHA256 they changed module to use
Digest::SHA.

Would it be possible to update package version to this, if upstream
does not release new version in near future?

Bests,
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#630601; Package src:libnet-openid-server-perl. (Wed, 15 Jun 2011 14:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dominic Hargreaves <dom@earth.li>:
Extra info received and forwarded to list. (Wed, 15 Jun 2011 14:03:05 GMT) Full text and rfc822 format available.

Message #10 received at 630601@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: Salvatore Bonaccorso <carnil@debian.org>, 630601@bugs.debian.org
Subject: Re: Bug#630601: libnet-openid-server-perl: use Digest::SHA instead of Digest::SHA1 and drop (Build-)Depends(-Indep) on libdigest-sha1-perl
Date: Wed, 15 Jun 2011 14:58:38 +0100
On Wed, Jun 15, 2011 at 03:49:59PM +0200, Salvatore Bonaccorso wrote:
> We from the Debian Perl Group -- as you might read already -- would
> like to drop libdigest-sha1-perl at some point, see [1]. Most of the
> functionality (except sha1_transform) of Digest::SHA1 is also provided
> by Digest::SHA.
> 
> Digest::SHA is in Perl core since version 5.9.3 and thus is in
> Debian's perl since Lenny.
> 
> Changing use of Digest::SHA1 to Digest::SHA would thus reduce external
> dependencies by one.
> 
>  [1] http://deb.li/digestsha
> 
> This seems indeed "fixed" in developer release upstream, or adapted upstream in
> version 1.030099_001:
> 
> 1.030099_001 Nov 06 2010

[snip]

> With adding support for HMAC-SHA256 they changed module to use
> Digest::SHA.
> 
> Would it be possible to update package version to this, if upstream
> does not release new version in near future?

Thanks for pointing this out. As it happens I was looking at that
version recently for other reasons. I'll look at updating the package
as you suggest.

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)




Information forwarded to debian-bugs-dist@lists.debian.org, Dominic Hargreaves <dom@earth.li>:
Bug#630601; Package src:libnet-openid-server-perl. (Tue, 16 Aug 2011 18:54:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dominic Hargreaves <dom@earth.li>. (Tue, 16 Aug 2011 18:54:19 GMT) Full text and rfc822 format available.

Message #15 received at 630601@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 625903@bugs.debian.org,625875@bugs.debian.org,625904@bugs.debian.org,636853@bugs.debian.org,636642@bugs.debian.org,636852@bugs.debian.org,636856@bugs.debian.org,630601@bugs.debian.org,636857@bugs.debian.org,625870@bugs.debian.org,624065@bugs.debian.org,629612@bugs.debian.org,debian-perl@lists.debian.org
Subject: Increase severity: libdigest-sha1-perl going to disappear
Date: Tue, 16 Aug 2011 20:51:15 +0200
# raising severity for remaining bugs to important
# libdigest-sha1-perl is going to disappear
# see: http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/DigestSHA1ToDigestSHA
severity 625903 important
severity 625875 important
severity 625904 important
severity 636853 important
severity 636642 important
severity 636852 important
severity 636856 important
severity 630601 important
severity 636857 important
severity 625870 important
severity 624065 important
severity 629612 important
thanks

Hi!

We from the Debian Perl Group whant to remove libdigest-sha1-perl soon. See [1]
for details. We thus would like to increase the severity to the remaining
bugreports to important.

 [1] http://wiki.debian.org/Teams/DebianPerlGroup/OpenTasks/Transitions/DigestSHA1ToDigestSHA

Regards
Salvatore, Debian Perl Group




Severity set to 'important' from 'normal' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 16 Aug 2011 18:54:35 GMT) Full text and rfc822 format available.

Added indication that bug 630601 blocks 594273 Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Thu, 18 Aug 2011 08:15:36 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dominic Hargreaves <dom@earth.li>:
Bug#630601; Package src:libnet-openid-server-perl. (Thu, 18 Aug 2011 21:33:39 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. Copy sent to Dominic Hargreaves <dom@earth.li>. (Thu, 18 Aug 2011 21:33:47 GMT) Full text and rfc822 format available.

Message #24 received at 630601@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 625903@bugs.debian.org, control@bugs.debian.org, 625875@bugs.debian.org, 625904@bugs.debian.org, 636853@bugs.debian.org, 636642@bugs.debian.org, 636852@bugs.debian.org, 636856@bugs.debian.org, 630601@bugs.debian.org, 636857@bugs.debian.org, 625870@bugs.debian.org, 624065@bugs.debian.org, 629612@bugs.debian.org, debian-perl@lists.debian.org
Subject: Re: Bug#625903: Increase severity: libdigest-sha1-perl going to disappear
Date: Thu, 18 Aug 2011 17:30:38 -0400
Hi.
I'm planning on getting to this issue Sunday.
If someone wants to NMU before then they are welcome.




Set Bug forwarded-to-address to 'https://rt.cpan.org/Ticket/Display.html?id=70862'. Request was from Ansgar Burchardt <ansgar@debian.org> to control@bugs.debian.org. (Sat, 10 Sep 2011 14:24:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Dominic Hargreaves <dom@earth.li>:
Bug#630601; Package src:libnet-openid-server-perl. (Thu, 10 Nov 2011 10:37:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Roger Crew <crew@cs.stanford.edu>:
Extra info received and forwarded to list. Copy sent to Dominic Hargreaves <dom@earth.li>. (Thu, 10 Nov 2011 10:37:23 GMT) Full text and rfc822 format available.

Message #31 received at 630601@bugs.debian.org (full text, mbox):

From: Roger Crew <crew@cs.stanford.edu>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: Dominic Hargreaves <dom@earth.li>, Roger Crew <crew@cs.stanford.edu>, 630601@bugs.debian.org
Subject: Re: Bug#630601: libnet-openid-server-perl: use Digest::SHA instead of Digest::SHA1 and drop (Build-)Depends(-Indep) on libdigest-sha1-perl
Date: Thu, 10 Nov 2011 01:45:45 -0800
FYI - there's a new Net-OpenID-Server (1.09)

(...there are no substantive differences from 1.030099_002, 
which already dropped Digest::SHA1 so if you've already packaged 
that one, then no problem, but if not then you might want to...)

-- 
Roger Crew
crew@cs.stanford.edu




Added tag(s) pending. Request was from Dominic Hargreaves <dom@earth.li> to control@bugs.debian.org. (Fri, 11 Nov 2011 21:54:14 GMT) Full text and rfc822 format available.

Reply sent to Dominic Hargreaves <dom@earth.li>:
You have taken responsibility. (Sat, 12 Nov 2011 13:36:06 GMT) Full text and rfc822 format available.

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 12 Nov 2011 13:36:06 GMT) Full text and rfc822 format available.

Message #38 received at 630601-close@bugs.debian.org (full text, mbox):

From: Dominic Hargreaves <dom@earth.li>
To: 630601-close@bugs.debian.org
Subject: Bug#630601: fixed in libnet-openid-server-perl 1.09-1
Date: Sat, 12 Nov 2011 13:32:25 +0000
Source: libnet-openid-server-perl
Source-Version: 1.09-1

We believe that the bug you reported is fixed in the latest version of
libnet-openid-server-perl, which is due to be installed in the Debian FTP archive:

libnet-openid-server-perl_1.09-1.debian.tar.gz
  to main/libn/libnet-openid-server-perl/libnet-openid-server-perl_1.09-1.debian.tar.gz
libnet-openid-server-perl_1.09-1.dsc
  to main/libn/libnet-openid-server-perl/libnet-openid-server-perl_1.09-1.dsc
libnet-openid-server-perl_1.09-1_all.deb
  to main/libn/libnet-openid-server-perl/libnet-openid-server-perl_1.09-1_all.deb
libnet-openid-server-perl_1.09.orig.tar.gz
  to main/libn/libnet-openid-server-perl/libnet-openid-server-perl_1.09.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 630601@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominic Hargreaves <dom@earth.li> (supplier of updated libnet-openid-server-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 12 Nov 2011 11:37:24 +0000
Source: libnet-openid-server-perl
Binary: libnet-openid-server-perl
Architecture: source all
Version: 1.09-1
Distribution: unstable
Urgency: low
Maintainer: Dominic Hargreaves <dom@earth.li>
Changed-By: Dominic Hargreaves <dom@earth.li>
Description: 
 libnet-openid-server-perl - library for servers of OpenID identities
Closes: 630601
Changes: 
 libnet-openid-server-perl (1.09-1) unstable; urgency=low
 .
   * Add Vcs-* fields
   * Switch to dpkg-source 3.0 (quilt) format
   * Switch to minimal dh7 rules
   * Update Standards-Version (no changes)
   * New upstream release
   * Adjust dependencies for new upstream release (closes: #630601)
Checksums-Sha1: 
 5372b918cbf9438c3f017b6907827994c6949777 1483 libnet-openid-server-perl_1.09-1.dsc
 152495c73e4e09387de10d9dbd9527b52185f1d4 24890 libnet-openid-server-perl_1.09.orig.tar.gz
 92b5d84fa910d5f9a2747fa9cbba4ab1adcbeec9 1997 libnet-openid-server-perl_1.09-1.debian.tar.gz
 038ae596e828d3bb853a4ec9d22445b06d59565b 27222 libnet-openid-server-perl_1.09-1_all.deb
Checksums-Sha256: 
 e12efc2946d4a9fab6967511a8100e5c9e1ad800d155061c7a943201cd454634 1483 libnet-openid-server-perl_1.09-1.dsc
 4a962ff593f66f276500535dbc7a018c098dfd166168df38cbeddb3c20128617 24890 libnet-openid-server-perl_1.09.orig.tar.gz
 6e836157d9920be007bf769ce2711f190c773e3c6034fc3e5afde65f487af8de 1997 libnet-openid-server-perl_1.09-1.debian.tar.gz
 c5a12b8c9da47060bf92c6ace853640f34161a84719e7833137e4b3716da07d8 27222 libnet-openid-server-perl_1.09-1_all.deb
Files: 
 eeac1dd57f059ecf55718662c1655db1 1483 perl optional libnet-openid-server-perl_1.09-1.dsc
 202fb0b735ad809ae7e9a923c24344f8 24890 perl optional libnet-openid-server-perl_1.09.orig.tar.gz
 4840a10ceddc4fdd64662476a975ad21 1997 perl optional libnet-openid-server-perl_1.09-1.debian.tar.gz
 3f5736bb4d058385746a67937a0bf182 27222 perl optional libnet-openid-server-perl_1.09-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOvlqZYzuFKFF44qURAqGhAKC/nIDLosNxUl5S8Z3cPMlg9NSHJACgyQYj
KbXjENn4bATJnHrZnR1eHJU=
=aDR/
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Dec 2011 07:31:30 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:30:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.