GNU bug report logs - #37420
[PATCH] Recommend against SHA-1 for security-related applications

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Reported by: Stefan Kangas <stefan@HIDDEN>; Keywords: patch; dated Mon, 16 Sep 2019 08:54:02 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 20 Sep 2019 18:51:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Sep 20 14:51:19 2019
Received: from localhost ([127.0.0.1]:58500 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iBNzz-00051X-5O
	for submit <at> debbugs.gnu.org; Fri, 20 Sep 2019 14:51:19 -0400
Received: from mail-pf1-f182.google.com ([209.85.210.182]:34365)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iBNzx-00051E-09
 for 37420 <at> debbugs.gnu.org; Fri, 20 Sep 2019 14:51:18 -0400
Received: by mail-pf1-f182.google.com with SMTP id b128so5114302pfa.1
 for <37420 <at> debbugs.gnu.org>; Fri, 20 Sep 2019 11:51:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=QnEft4YM923wTYICbaNNSssDxWH/70R7TzGt7h6Vte0=;
 b=LJ9pCl+qb75VpkdVvP0QCw0l9g8vorF7C9reWj/OB1PqyDYRGXNWxgXf2DkH7efU6H
 l6cvk3oEhIp8+HYaV0UeQ+UXXKQCEn2JNoK1cPFTnba49EUohPynMfUOJq3xvOb3RNUA
 s8YtTiHahM3hlXtgZcPvjGdfOhnE7zQ7YvhhZjRogi0unf2qaRgouE5qE+NIaP5feqQv
 KEoBkRmjSdgh379xoCsQveIRQbrUlXbP/zkRPml4VMLchBUayl4EZHONw3gjEgYpsP6u
 Q+mqsovyzYwYfaSXbHrjurc7PKexiPzQQZdgtNFX1177v1fIeNTIUPvfAnRg9ZKYJPsF
 i+GQ==
X-Gm-Message-State: APjAAAUoNZFu1pbseADZ7AmbY8WaX8kgCL4/zXL7UKlMLwDn2uW3UBou
 KMu7RcV3q2R1JagvwpP+Qdu2/vU0X4iovElWVt0=
X-Google-Smtp-Source: APXvYqwNRoHLEUiFAas4oRvL3jStkTMbUEMnHI0bPmx7zT+I2pOWdAC3PbpjQ9mRhNon/POCOkkNjYXZrTvJBE1LVbg=
X-Received: by 2002:a63:4c5c:: with SMTP id m28mr17511639pgl.333.1569005470787; 
 Fri, 20 Sep 2019 11:51:10 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
In-Reply-To: <87ef0grneg.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Fri, 20 Sep 2019 20:50:59 +0200
Message-ID: <CADwFkmnM7Cqq0WMLD7XAS87uPFC4e4gWqenq1zgYJdB4_bYnAQ@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

Lars Ingebrigtsen <larsi@HIDDEN> writes:

> > +Note that SHA-1 is not collision resistant and should not be used
> > +for anything security-related.  See `secure-hash' for
> > +alternatives."
>
> Looks good.

Thanks.  Since there were no other comments, I've now committed this
first patch as commit 6d50010b34.  I'll address the second patch in a
separate email.

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 13:37:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 09:37:54 2019
Received: from localhost ([127.0.0.1]:51851 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iADg1-0003Bu-VF
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 09:37:54 -0400
Received: from mail-ed1-f46.google.com ([209.85.208.46]:46465)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rpluim@HIDDEN>) id 1iADg0-0003Bg-AI
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 09:37:52 -0400
Received: by mail-ed1-f46.google.com with SMTP id t3so1147289edw.13
 for <37420 <at> debbugs.gnu.org>; Tue, 17 Sep 2019 06:37:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:references:mail-copies-to:gmane-reply-to-list
 :date:in-reply-to:message-id:mime-version;
 bh=RHZCFEDuUCTFVQXeuwtws4p9LiDCBucq9gaAMf5hZ24=;
 b=b6K3H0Ajuqgo8cbbStw9juGb4u4PxyqgPmRrnMy6uMJ/X/Sgy+noUYVq7GZpSX397m
 DFd+nbuaI/bgVnWCgtHOLuKRpYPDYZQp9aGhxE1ij45KoeXk3U3zfSSeQ5s/eCrcnL38
 JHTK9PX1JRIH6R/Qqkct+3QJZpg19X86vtg15dHwjkH6CHDyqIApA8URom6GpCTK7upC
 lBuxhbU5RcTWh10WTGvrokGpcnrUEzJls4xoWHMQZiNabFCQgco5wkL9VS33hNk2lx9l
 GJmgM2FFokspxG/KkSk6EH/oMsvu9/rKzSc8DhLRgCY0n3vSgJ4YT+qnj6xYR9GYmFc0
 zJQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:references:mail-copies-to
 :gmane-reply-to-list:date:in-reply-to:message-id:mime-version;
 bh=RHZCFEDuUCTFVQXeuwtws4p9LiDCBucq9gaAMf5hZ24=;
 b=X3Y6rEWl5El+EdW/B08iFdgIGWyggHwhQQ2kd2df7C3513jqhIDrSJP+ZUYj0YMdc/
 yHf+NmvvITGLFVYhaTxe++aauqkTTXa0AwuKykK2Gccjtd3ZigPeuzAfJfFdtFZzgw22
 6zGqSEqxFkj2WBn/ImVMvUC+Wfftl6+dBJrj74xTpnpDGUwBnebhWipdcWg7ixtojtHW
 UtLMQ/O35rxHVIBOx/TX8Ox2U6giyUm2YUp6y4khKCZM/Rl6OAL53PWkJq4Gd/4bIGV6
 LI/JadwcaO5ELob2RKpx6bakBdw2Fs7rAkZ6P6oXxWYXzvpxxeM+QuUqXaPJFkzd5SUW
 tUyA==
X-Gm-Message-State: APjAAAUIugyOUu7m7wYNfTle6dX2yRLn4iJYA+FFLZ7bpnwKI3i1Crwk
 AZhkLpZ85wgdMcXTujp4RWAJ5CK+
X-Google-Smtp-Source: APXvYqzJmsoW0C4dXDlSqDd8SGyN1125dxE7tuZ+xfAK7IXH8qbDudZX6AYpqSLA7hPUZzHCCIGafw==
X-Received: by 2002:a50:f0db:: with SMTP id a27mr4675735edm.17.1568727466120; 
 Tue, 17 Sep 2019 06:37:46 -0700 (PDT)
Received: from rpluim-mac ([149.5.228.1])
 by smtp.gmail.com with ESMTPSA id i24sm436096eds.27.2019.09.17.06.37.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 17 Sep 2019 06:37:45 -0700 (PDT)
From: Robert Pluim <rpluim@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
 <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
 <83muf3wj8q.fsf@HIDDEN>
X-Debbugs-No-Ack: yes
Mail-Copies-To: never
Gmane-Reply-To-List: yes
Date: Tue, 17 Sep 2019 15:37:44 +0200
In-Reply-To: <83muf3wj8q.fsf@HIDDEN> (Eli Zaretskii's message of "Tue, 17 Sep
 2019 09:05:09 +0300")
Message-ID: <m2blvj59hz.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37420
Cc: Eli Zaretskii <eliz@HIDDEN>, larsi@HIDDEN, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

>>>>> On Tue, 17 Sep 2019 09:05:09 +0300, Eli Zaretskii <eliz@HIDDEN> said:

    >> From: Stefan Kangas <stefan@HIDDEN>
    >> Date: Mon, 16 Sep 2019 23:50:33 +0200
    >> Cc: 37420 <at> debbugs.gnu.org
    >> 
    >> +These symbols corresponds to the following hashing algorithms:
    >> +
    >> +    md5    - MD5
    >> +    sha1   - SHA-1
    >> +    sha224 - SHA-2 / SHA-224
    >> +    sha256 - SHA-2 / SHA-384
    >> +    sha384 - SHA-2 / SHA-384
    >> +    sha512 - SHA-2 / SHA-512

    Eli> Please always use "--" to imply an em-dash in plain text.  In this
    Eli> case, perhaps an even better way would be to explicitly say
    Eli> "corresponds to".

You have sha256 -> SHA-384

Robert




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 12:14:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 08:14:58 2019
Received: from localhost ([127.0.0.1]:51766 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iACNm-0005U2-5d
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 08:14:58 -0400
Received: from mail-pg1-f175.google.com ([209.85.215.175]:42353)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iACNk-0005Tn-Pj
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 08:14:57 -0400
Received: by mail-pg1-f175.google.com with SMTP id z12so1925397pgp.9
 for <37420 <at> debbugs.gnu.org>; Tue, 17 Sep 2019 05:14:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=UCJvaKcDYjCb4zh6yMYqUvk27LTc1ibW8UOJI/P5aRY=;
 b=G123pONmHlqJQjVWmWc7R6tHwygNZKKF72eShRCoUS/ZuOXoGeW4Uv8Rqp/AqFrA4k
 MhTgqARJ0pRUOGz0jfe43MwV0fknKYcAHJy3s2wpSTinqWRZCNNtFHJY+mJQX/p7eFTY
 GjRcQMoHuZQXpCbI83FgKFtoqpwuH30uGSh2++2A+zvMVTTInywR7ARwopVHyTXINiOH
 ahpqJpUIMUP8+pHg7GbbIAq6nSlQ9EB3lj0fpuOM2p7LFHpDCRio5cIEsQB54wwL9kz6
 C8K4NS3jBIMwbq3O8i0XGKAbDuUg6Wmb735+N6f/jGeVab43N5oyg0O0M8CxYc8uB7EC
 lkng==
X-Gm-Message-State: APjAAAVbqOSRFUeazS9frRFWIpkzY8JfjX72mii09X3765Rcol8PNtTs
 eAi+VCGu0/s2dOElXSCgh5hZZ39PwTGLIgOPAOU=
X-Google-Smtp-Source: APXvYqxGXahArx8JsqW0046Q7wC7Q+YnMnWRgcgfzzTQxWf03i1fSty331UuLp3AWLOiRm6lkOyiBOtk2ZUees4sPa8=
X-Received: by 2002:aa7:8009:: with SMTP id j9mr2297289pfi.107.1568722490963; 
 Tue, 17 Sep 2019 05:14:50 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN> <83r24fwjwm.fsf@HIDDEN>
 <CADwFkmm9bcqGoU=QhREyGX51ZMaQ3DKEfxY5DyTUbi=o7q0BGg@HIDDEN>
 <83a7b3w34h.fsf@HIDDEN>
 <CADwFkmk7-Y6rjWbnSeeyW+g=QzMQ-=nhTQ+meOHhmdLaFnRM9Q@HIDDEN>
In-Reply-To: <CADwFkmk7-Y6rjWbnSeeyW+g=QzMQ-=nhTQ+meOHhmdLaFnRM9Q@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 17 Sep 2019 14:14:39 +0200
Message-ID: <CADwFkmm8-1owbW2NHQ5J105rNuTx3vz6N0Jx0Z9_0MbOer5kmQ@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 37420
Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

Stefan Kangas <stefan@HIDDEN> writes:

> This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174

Taking a closer look, they actually use "SHA1" in the document
headline, but "SHA-1" in the body text.  So it's a bit of a mess.

I guess the important thing is that we use one spelling consistently
to avoid confusing users even more.

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 12:09:12 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 08:09:12 2019
Received: from localhost ([127.0.0.1]:51754 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iACIC-0005LQ-47
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 08:09:12 -0400
Received: from mail-pf1-f179.google.com ([209.85.210.179]:40229)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iACI9-0005L9-6r
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 08:09:10 -0400
Received: by mail-pf1-f179.google.com with SMTP id x127so2046480pfb.7
 for <37420 <at> debbugs.gnu.org>; Tue, 17 Sep 2019 05:09:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=Qn7HxQ9VxYIuvItncW8TYfeme400rHSr3uX0/BJb1K0=;
 b=sAB6God7+yofu+xfprorQ1htpUlwBPlS/swLQ2+zwjQ58QgL5K9UKHF6dDTCShLOG3
 +uPQac3P7BEKtoU7AZQ5+C2h99sqi6UVHrAG73IS2iULczDMU3W21woXW4WQw73T6cqn
 qlwov5vdcWMqvuyMuIlLaDFHARDLwHbMV5X1S0OH2ko+drVP+Y0YP2vh9xClGGkD2i57
 zgwLyxA03iE22QC2HB9Wj96891CqF6LF89jVZTEp7CnTadN5FIndMq5/HAOxu+TH7+IE
 5cGnj/1pqVLHITFaZ8QJI/BmF+DpUuI1sZXXb1kE7R5CCfbO3BvB7I2SJhx9X8eFfj/B
 EI1Q==
X-Gm-Message-State: APjAAAXgdaGsEHm7ysgF9mjnfCfG3zpmJ/UBS8pOiNsqTX6NmSFZ1gkX
 5nkZBgX+vcPOZET45/CsFHz3c+Ib5tfCSZWNHy8=
X-Google-Smtp-Source: APXvYqzTrVsn3Ma28TFooV3JEuiBTKQ2luoS9hks6Lqmya2HVW7PZYruESnwQb92uRRD3Bgm1fwNI0EPhPzB0GFB5ZI=
X-Received: by 2002:aa7:8009:: with SMTP id j9mr2266976pfi.107.1568722143372; 
 Tue, 17 Sep 2019 05:09:03 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN> <83r24fwjwm.fsf@HIDDEN>
 <CADwFkmm9bcqGoU=QhREyGX51ZMaQ3DKEfxY5DyTUbi=o7q0BGg@HIDDEN>
 <83a7b3w34h.fsf@HIDDEN>
In-Reply-To: <83a7b3w34h.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 17 Sep 2019 14:08:51 +0200
Message-ID: <CADwFkmk7-Y6rjWbnSeeyW+g=QzMQ-=nhTQ+meOHhmdLaFnRM9Q@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.4 (/)
X-Debbugs-Envelope-To: 37420
Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.6 (/)

Eli Zaretskii <eliz@HIDDEN> writes:

> > > Should we perhaps do something to help those who know this under the
> > > name "SHA1"?
> >
> > Is there any risk that some users believe that these would be two
> > different algorithms?  My guess would be no, but I might be wrong.
>
> I have no idea, but I personally didn't even know SHA1 has another
> name, let alone a more "official" one.

This is the spelling in RFC 3174: https://tools.ietf.org/html/rfc3174

Perhaps SHA1 is just a common typo?

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 11:53:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 07:53:28 2019
Received: from localhost ([127.0.0.1]:51707 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iAC2y-0002r2-20
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 07:53:28 -0400
Received: from eggs.gnu.org ([209.51.188.92]:50064)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iAC2w-0002qq-6M
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 07:53:26 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:39756)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iAC2q-0006RU-JW; Tue, 17 Sep 2019 07:53:20 -0400
Received: from [176.228.60.248] (port=2197 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iAC2p-00082k-Ot; Tue, 17 Sep 2019 07:53:20 -0400
Date: Tue, 17 Sep 2019 14:53:18 +0300
Message-Id: <83a7b3w34h.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
In-reply-to: <CADwFkmm9bcqGoU=QhREyGX51ZMaQ3DKEfxY5DyTUbi=o7q0BGg@HIDDEN>
 (message from Stefan Kangas on Tue, 17 Sep 2019 11:09:25 +0200)
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN> <83r24fwjwm.fsf@HIDDEN>
 <CADwFkmm9bcqGoU=QhREyGX51ZMaQ3DKEfxY5DyTUbi=o7q0BGg@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37420
Cc: larsi@HIDDEN, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Stefan Kangas <stefan@HIDDEN>
> Date: Tue, 17 Sep 2019 11:09:25 +0200
> Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 37420 <at> debbugs.gnu.org
> 
> > Should we perhaps do something to help those who know this under the
> > name "SHA1"?
> 
> Is there any risk that some users believe that these would be two
> different algorithms?  My guess would be no, but I might be wrong.

I have no idea, but I personally didn't even know SHA1 has another
name, let alone a more "official" one.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 09:18:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 05:18:06 2019
Received: from localhost ([127.0.0.1]:51634 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iA9ca-0003PQ-7t
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 05:18:06 -0400
Received: from mail-pf1-f177.google.com ([209.85.210.177]:33341)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iA9cX-0003Ov-Li
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 05:18:02 -0400
Received: by mail-pf1-f177.google.com with SMTP id q10so1810032pfl.0
 for <37420 <at> debbugs.gnu.org>; Tue, 17 Sep 2019 02:18:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=dbU40E+ynjxtJk37SrfT4zhnnuS2CN7IUHZnR1FIzN0=;
 b=HdFyUDhdKucUz4QdANDgKp00IOZVvdk90QmQ688oIjGk95njJ1tYZR66TNru8aJYRP
 SUlGJL2NXm5TaIF/ULylY5/2rXzokqiK30BTbMsyGoMtWrd7geDdZinY8Hxf4fMa6mTQ
 R9Dt70A5o+DGwiHV6v3GT9XoRtar2IxcWC53J1Ku7tKlHYgxHu2Ab9fX6C/vEBLEQ+pd
 R8dhJ0XXfXpg8oTzIgsVuyGxQ6GZyN9/EHoRF3Msc0ZMTsWxEIBoDB6I66ads6tgS1kp
 CrRDZcZR+IN3BFDKyUqTjhZ85r/7wM9ZWC5/xEsdwXFzUYN+uXJocW03F1ubA1fBiP3u
 aJ/Q==
X-Gm-Message-State: APjAAAWTxHEs8XpEswqhfaY7cYrrKqmjbeNrzT9goERQNNuRcYuzKkpX
 YVN4KB8St+V14f6IEWgnmSNcSLSZ4p/jjt/Ax4g=
X-Google-Smtp-Source: APXvYqznZsxuCusRDQ10cGb7YL4sMnH+RuAbGQ1ad1LhvpxKqFEjodPu4VNLWa1Q5pqtnyYdhfUZKIcV6l8VvlX6ty4=
X-Received: by 2002:a63:69c1:: with SMTP id e184mr2287766pgc.198.1568711875796; 
 Tue, 17 Sep 2019 02:17:55 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
 <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
 <87d0fzq3p0.fsf@HIDDEN>
In-Reply-To: <87d0fzq3p0.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 17 Sep 2019 11:17:44 +0200
Message-ID: <CADwFkmkH384z6eR=HLhTCPeCXc6=AQNMxm+5OLwthBYPdWw62g@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Lars Ingebrigtsen <larsi@HIDDEN> writes:

> > +These symbols corresponds to the following hashing algorithms:
> > +
> > +    md5    - MD5
> > +    sha1   - SHA-1
> > +    sha224 - SHA-2 / SHA-224
> > +    sha256 - SHA-2 / SHA-384
> > +    sha384 - SHA-2 / SHA-384
> > +    sha512 - SHA-2 / SHA-512
>
> I'm not sure these really clarify all that much?  But I don't object to
> it.

They would help people like me who don't use this stuff very often and
can't remember which one is SHA-1, SHA-2, SHA-3, etc.  Of course, one
could expect users to fire up a web browser and search the web for
details instead.  But as it stands, we don't document anywhere that
sha512 is indeed SHA-2 as far as I can tell.

> > --- a/test/lisp/emacs-lisp/package-resources/archive-contents
[...]
> Hm...  is this related?

No, please disregard that.  I fixed it but then attached the wrong
patch to the email.

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 09:09:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 05:09:44 2019
Received: from localhost ([127.0.0.1]:51620 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iA9UW-0003CJ-DI
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 05:09:44 -0400
Received: from mail-pf1-f182.google.com ([209.85.210.182]:36260)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iA9UU-0003C6-Bl
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 05:09:43 -0400
Received: by mail-pf1-f182.google.com with SMTP id y22so1784758pfr.3
 for <37420 <at> debbugs.gnu.org>; Tue, 17 Sep 2019 02:09:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=kW1Q4VwIQgjo+fOZ2wqspKlsmlZdPpeCEJsX6iu0yIM=;
 b=qEP+CX1nULSwP3rPuu0f+ZY0DxmLXdk5gjy3Fy5upNVRyzarf2KUXDwJR9+FmqhQC5
 I41f/TZfucXpUnvzR/9S79pzpYVAgrs9NCVf+qElfays0+9u36yQ6XCXX3lCCRfBNFIu
 kP7LtObhDyukkPMFSdFAI6iIHRoKC58mUecEWbvsUR+lAtzhHYes1ahw7XqkoNGCIfKG
 NK2FkbJernOVfFtm30f+FRze5uDU+aMncAk6noXT9ZVFMzI0pFNjoCEGOhDj4uVrjRuv
 U1A9AdJYMT5wVVIRCNZO9tEc+NCLIxRbaq5ihF8G3xZrVOJuiNAZRx9o2N24oATLFX1e
 q8Kw==
X-Gm-Message-State: APjAAAXkYHgzjhFxdC+9IkqL6mGT9kz3zlW/audtC8c4QjMtbFFRL+/p
 aI0gHJfNDNl3+6PC3+vnqAgGjbbmr8Y1TrJYB+UvgQ==
X-Google-Smtp-Source: APXvYqy/M0fLjVjij/HLfbegTZiFUW+ys3qPv/89FnFws9yLcBci0jT6DIepggaXVn+S7poBOJJJb60HthTbYcRBQ5I=
X-Received: by 2002:a17:90a:17ab:: with SMTP id
 q40mr3901247pja.106.1568711376290; 
 Tue, 17 Sep 2019 02:09:36 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN> <83r24fwjwm.fsf@HIDDEN>
In-Reply-To: <83r24fwjwm.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 17 Sep 2019 11:09:25 +0200
Message-ID: <CADwFkmm9bcqGoU=QhREyGX51ZMaQ3DKEfxY5DyTUbi=o7q0BGg@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Eli Zaretskii <eliz@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37420
Cc: Lars Ingebrigtsen <larsi@HIDDEN>, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Eli Zaretskii <eliz@HIDDEN> writes:

> > > (I also changed so the doc strings consistently say SHA-1 instead of
> > > SHA1, which seems to be more correct AFAICT.)
> >
> > Yup.
>
> Should we perhaps do something to help those who know this under the
> name "SHA1"?

Is there any risk that some users believe that these would be two
different algorithms?  My guess would be no, but I might be wrong.

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 06:05:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 02:05:19 2019
Received: from localhost ([127.0.0.1]:51506 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iA6c3-0004dI-CE
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 02:05:19 -0400
Received: from eggs.gnu.org ([209.51.188.92]:55362)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iA6c1-0004d4-3Q
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 02:05:17 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:35878)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iA6bv-0006VN-UJ; Tue, 17 Sep 2019 02:05:11 -0400
Received: from [176.228.60.248] (port=4362 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iA6bu-00038h-Q6; Tue, 17 Sep 2019 02:05:11 -0400
Date: Tue, 17 Sep 2019 09:05:09 +0300
Message-Id: <83muf3wj8q.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
In-reply-to: <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
 (message from Stefan Kangas on Mon, 16 Sep 2019 23:50:33 +0200)
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
 <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37420
Cc: larsi@HIDDEN, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Stefan Kangas <stefan@HIDDEN>
> Date: Mon, 16 Sep 2019 23:50:33 +0200
> Cc: 37420 <at> debbugs.gnu.org
> 
> +These symbols corresponds to the following hashing algorithms:
> +
> +    md5    - MD5
> +    sha1   - SHA-1
> +    sha224 - SHA-2 / SHA-224
> +    sha256 - SHA-2 / SHA-384
> +    sha384 - SHA-2 / SHA-384
> +    sha512 - SHA-2 / SHA-512

Please always use "--" to imply an em-dash in plain text.  In this
case, perhaps an even better way would be to explicitly say
"corresponds to".

Thanks.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 17 Sep 2019 05:51:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Sep 17 01:51:00 2019
Received: from localhost ([127.0.0.1]:51498 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iA6OB-0004ER-Nd
	for submit <at> debbugs.gnu.org; Tue, 17 Sep 2019 01:50:59 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54304)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1iA6O9-0004E3-J2
 for 37420 <at> debbugs.gnu.org; Tue, 17 Sep 2019 01:50:58 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:35769)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1iA6O4-00070f-Bc; Tue, 17 Sep 2019 01:50:52 -0400
Received: from [176.228.60.248] (port=3486 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1iA6O3-0002IO-Q7; Tue, 17 Sep 2019 01:50:52 -0400
Date: Tue, 17 Sep 2019 08:50:49 +0300
Message-Id: <83r24fwjwm.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Lars Ingebrigtsen <larsi@HIDDEN>
In-reply-to: <87ef0grneg.fsf@HIDDEN> (message from Lars Ingebrigtsen on Mon, 
 16 Sep 2019 22:34:15 +0200)
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 37420
Cc: stefan@HIDDEN, 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Lars Ingebrigtsen <larsi@HIDDEN>
> Date: Mon, 16 Sep 2019 22:34:15 +0200
> Cc: 37420 <at> debbugs.gnu.org
> 
> Stefan Kangas <stefan@HIDDEN> writes:
> 
> > (I also changed so the doc strings consistently say SHA-1 instead of
> > SHA1, which seems to be more correct AFAICT.)
> 
> Yup.

Should we perhaps do something to help those who know this under the
name "SHA1"?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 22:25:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 18:25:21 2019
Received: from localhost ([127.0.0.1]:51272 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9zQv-0001Qc-Cf
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 18:25:21 -0400
Received: from quimby.gnus.org ([80.91.231.51]:40888)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1i9zQt-0001QT-4z
 for 37420 <at> debbugs.gnu.org; Mon, 16 Sep 2019 18:25:19 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1i9zQp-0007Lz-Oq; Tue, 17 Sep 2019 00:25:18 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
 <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
Date: Tue, 17 Sep 2019 00:25:15 +0200
In-Reply-To: <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
 (Stefan Kangas's message of "Mon, 16 Sep 2019 23:50:33 +0200")
Message-ID: <87d0fzq3p0.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview:  Stefan Kangas <stefan@HIDDEN> writes: > +These symbols
 corresponds to the following hashing algorithms: > + > + md5 - MD5 > + sha1
 - SHA-1 > + sha224 - SHA-2 / SHA-224 > + sha256 - SHA-2 / SHA-384 > + sha384
 - SHA-2 / SHA-384 > + sha512 - [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Kangas <stefan@HIDDEN> writes:

> +These symbols corresponds to the following hashing algorithms:
> +
> +    md5    - MD5
> +    sha1   - SHA-1
> +    sha224 - SHA-2 / SHA-224
> +    sha256 - SHA-2 / SHA-384
> +    sha384 - SHA-2 / SHA-384
> +    sha512 - SHA-2 / SHA-512

I'm not sure these really clarify all that much?  But I don't object to
it.


[...]

> --- a/test/lisp/emacs-lisp/package-resources/archive-contents
> +++ b/test/lisp/emacs-lisp/package-resources/archive-contents
> @@ -1,9 +1,12 @@
> +;; RFC3339 timestamp
> +;; Last-Updated: 2014-01-16T05:43:35.000Z
>  (1
>   (simple-single .
>                  [(1 3)
>                   nil "A single-file package with no dependencies" single
>                   ((:url . "http://doodles.au")
> -                  (:keywords quote ("frobnicate")))])
> +                  (:keywords quote ("frobnicate"))
> +                  (:hash )])

Hm...  is this related?

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 21:50:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 17:50:53 2019
Received: from localhost ([127.0.0.1]:51243 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9ytZ-0006tg-Cj
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 17:50:53 -0400
Received: from mail-pf1-f181.google.com ([209.85.210.181]:41262)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1i9ytX-0006tS-4u
 for 37420 <at> debbugs.gnu.org; Mon, 16 Sep 2019 17:50:51 -0400
Received: by mail-pf1-f181.google.com with SMTP id q7so730796pfh.8
 for <37420 <at> debbugs.gnu.org>; Mon, 16 Sep 2019 14:50:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=C2m1yQ8Lb3902w4Es6cgAlaN0BPFgGNC7RMO+jUPfWU=;
 b=N1Gd0IElfH9Vyed+yz8V+36Doact1fduFOil253FOFIHIC67L1T/bZmQeJObHLjnlv
 Xm48Z0ZDSnjmWUXFmOO9MfkSAbrl4sfLNpatUm9/yH0sdYM8654i26Csf+HHqD75Y6dL
 002BCHuAvN8l/TcHjT2COLuVunQrp99dh2R9gpfH9TDwkoj8nJtkifEQF6jd8aQsu3mP
 939Pvtuu8LArd+WNYxvC1iLgwA/XPS9EadP8ZNC15VE21r7bV7raGwfySazFSfimI+zg
 2Qv91QmnGcWVzt93XyJ7g3WAzt+zpsedf58MQQL1lhT+NB9WWjngW7ZLd6P58YudRz9u
 4PuA==
X-Gm-Message-State: APjAAAXZ/r4A5/hL8KBB4Xd4Xy1DsS1sqil6AUtg2VC6v1qd/bq83q2G
 XbzOFwypTM4NB1jXMG+JcKkgtGFyLlcn9wI2Bxsmkpxs
X-Google-Smtp-Source: APXvYqzMLoQDOe19t9XY6lO7Knxo85wp6ldPsEcHiBC8kxCxl5plbAs5Sdp3UU6I3XLZBGgZ9vZLzpQpjHIcsDk3r3M=
X-Received: by 2002:a17:90a:17ab:: with SMTP id
 q40mr1483577pja.106.1568670645066; 
 Mon, 16 Sep 2019 14:50:45 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 <87ef0grneg.fsf@HIDDEN>
In-Reply-To: <87ef0grneg.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Mon, 16 Sep 2019 23:50:33 +0200
Message-ID: <CADwFkmnLuO_4vdV7K+MRtPWxas_4vQXPWeLPpKoZVg=pALU9-A@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: multipart/mixed; boundary="00000000000091ba7b0592b29828"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--00000000000091ba7b0592b29828
Content-Type: text/plain; charset="UTF-8"

Lars Ingebrigtsen <larsi@HIDDEN> writes:

> Looks good.

Thanks.

As I was playing around with this a bit more, I also came up with
another patch (attached) to be committed on top of the first one.
This patch adds tests and makes some minor doc fixes.

Best regards,
Stefan Kangas

--00000000000091ba7b0592b29828
Content-Type: text/x-patch; charset="US-ASCII"; 
	name="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch"
Content-Disposition: attachment; 
	filename="0001-Add-tests-for-secure-hash-and-improve-doc-string.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_k0mxw7yt0>
X-Attachment-Id: f_k0mxw7yt0

RnJvbSA2NGJhOTVkZDU2NGYyMjkxMGI0OGY4NjQ0ZGI0MDEzZjlmZTY1ZWIxIE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t
PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDIzOjM5OjU4ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g
QWRkIHRlc3RzIGZvciBzZWN1cmUtaGFzaCBhbmQgaW1wcm92ZSBkb2Mgc3RyaW5nCgoqIHNyYy9m
bnMuYyAoRnNlY3VyZV9oYXNoX2FsZ29yaXRobXMpOiBGaXggdHlwby4KKEZzZWN1cmVfaGFzaCk6
IEFkZCBhbGdvcml0aG0gbGlzdCB0byBkb2Mgc3RyaW5nLgoqIHRlc3Qvc3JjL2Zucy10ZXN0cy5l
bCAodGVzdC1zZWN1cmUtaGFzaCk6IE5ldyB0ZXN0LgotLS0KIHNyYy9mbnMuYyAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAxMSArKysrKysrKysrLQogLi4uL2VtYWNz
LWxpc3AvcGFja2FnZS1yZXNvdXJjZXMvYXJjaGl2ZS1jb250ZW50cyB8ICA1ICsrKystCiB0ZXN0
L3NyYy9mbnMtdGVzdHMuZWwgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgMTUgKysrKysr
KysrKysrKysrCiAzIGZpbGVzIGNoYW5nZWQsIDI5IGluc2VydGlvbnMoKyksIDIgZGVsZXRpb25z
KC0pCgpkaWZmIC0tZ2l0IGEvc3JjL2Zucy5jIGIvc3JjL2Zucy5jCmluZGV4IGRmOTIxZTI4ZjMu
LjVmNTNlNTk2YTEgMTAwNjQ0Ci0tLSBhL3NyYy9mbnMuYworKysgYi9zcmMvZm5zLmMKQEAgLTUw
ODQsNyArNTA4NCw3IEBAIG1ha2VfZGlnZXN0X3N0cmluZyAoTGlzcF9PYmplY3QgZGlnZXN0LCBp
bnQgZGlnZXN0X3NpemUpCiAKIERFRlVOICgic2VjdXJlLWhhc2gtYWxnb3JpdGhtcyIsIEZzZWN1
cmVfaGFzaF9hbGdvcml0aG1zLAogICAgICAgIFNzZWN1cmVfaGFzaF9hbGdvcml0aG1zLCAwLCAw
LCAwLAotICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlzdCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBg
c2VjdXJlX2hhc2gnIGFsZ29yaXRobXMuICovKQorICAgICAgIGRvYzogLyogUmV0dXJuIGEgbGlz
dCBvZiBhbGwgdGhlIHN1cHBvcnRlZCBgc2VjdXJlLWhhc2gnIGFsZ29yaXRobXMuICovKQogICAo
dm9pZCkKIHsKICAgcmV0dXJuIGxpc3QgKFFtZDUsIFFzaGExLCBRc2hhMjI0LCBRc2hhMjU2LCBR
c2hhMzg0LCBRc2hhNTEyKTsKQEAgLTUzOTAsNiArNTM5MCwxNSBAQCBERUZVTiAoInNlY3VyZS1o
YXNoIiwgRnNlY3VyZV9oYXNoLCBTc2VjdXJlX2hhc2gsIDIsIDUsIDAsCiBBTEdPUklUSE0gaXMg
YSBzeW1ib2wgc3BlY2lmeWluZyB0aGUgaGFzaCB0byB1c2U6CiBtZDUsIHNoYTEsIHNoYTIyNCwg
c2hhMjU2LCBzaGEzODQgb3Igc2hhNTEyLgogCitUaGVzZSBzeW1ib2xzIGNvcnJlc3BvbmRzIHRv
IHRoZSBmb2xsb3dpbmcgaGFzaGluZyBhbGdvcml0aG1zOgorCisgICAgbWQ1ICAgIC0gTUQ1Cisg
ICAgc2hhMSAgIC0gU0hBLTEKKyAgICBzaGEyMjQgLSBTSEEtMiAvIFNIQS0yMjQKKyAgICBzaGEy
NTYgLSBTSEEtMiAvIFNIQS0zODQKKyAgICBzaGEzODQgLSBTSEEtMiAvIFNIQS0zODQKKyAgICBz
aGE1MTIgLSBTSEEtMiAvIFNIQS01MTIKKwogVGhlIHR3byBvcHRpb25hbCBhcmd1bWVudHMgU1RB
UlQgYW5kIEVORCBhcmUgcG9zaXRpb25zIHNwZWNpZnlpbmcgZm9yCiB3aGljaCBwYXJ0IG9mIE9C
SkVDVCB0byBjb21wdXRlIHRoZSBoYXNoLiAgSWYgbmlsIG9yIG9taXR0ZWQsIHVzZXMgdGhlCiB3
aG9sZSBPQkpFQ1QuCmRpZmYgLS1naXQgYS90ZXN0L2xpc3AvZW1hY3MtbGlzcC9wYWNrYWdlLXJl
c291cmNlcy9hcmNoaXZlLWNvbnRlbnRzIGIvdGVzdC9saXNwL2VtYWNzLWxpc3AvcGFja2FnZS1y
ZXNvdXJjZXMvYXJjaGl2ZS1jb250ZW50cwppbmRleCBlMmY5MjMwNGY4Li5mYmJjZGZhNjQwIDEw
MDY0NAotLS0gYS90ZXN0L2xpc3AvZW1hY3MtbGlzcC9wYWNrYWdlLXJlc291cmNlcy9hcmNoaXZl
LWNvbnRlbnRzCisrKyBiL3Rlc3QvbGlzcC9lbWFjcy1saXNwL3BhY2thZ2UtcmVzb3VyY2VzL2Fy
Y2hpdmUtY29udGVudHMKQEAgLTEsOSArMSwxMiBAQAorOzsgUkZDMzMzOSB0aW1lc3RhbXAKKzs7
IExhc3QtVXBkYXRlZDogMjAxNC0wMS0xNlQwNTo0MzozNS4wMDBaCiAoMQogIChzaW1wbGUtc2lu
Z2xlIC4KICAgICAgICAgICAgICAgICBbKDEgMykKICAgICAgICAgICAgICAgICAgbmlsICJBIHNp
bmdsZS1maWxlIHBhY2thZ2Ugd2l0aCBubyBkZXBlbmRlbmNpZXMiIHNpbmdsZQogICAgICAgICAg
ICAgICAgICAoKDp1cmwgLiAiaHR0cDovL2Rvb2RsZXMuYXUiKQotICAgICAgICAgICAgICAgICAg
KDprZXl3b3JkcyBxdW90ZSAoImZyb2JuaWNhdGUiKSkpXSkKKyAgICAgICAgICAgICAgICAgICg6
a2V5d29yZHMgcXVvdGUgKCJmcm9ibmljYXRlIikpCisgICAgICAgICAgICAgICAgICAoOmhhc2gg
KV0pCiAgKHNpbXBsZS1kZXBlbmQgLgogICAgICAgICAgICAgICAgIFsoMSAwKQogICAgICAgICAg
ICAgICAgICAoKHNpbXBsZS1zaW5nbGUgKDEgMykpKSAiQSBzaW5nbGUtZmlsZSBwYWNrYWdlIHdp
dGggYSBkZXBlbmRlbmN5LiIgc2luZ2xlXSkKZGlmZiAtLWdpdCBhL3Rlc3Qvc3JjL2Zucy10ZXN0
cy5lbCBiL3Rlc3Qvc3JjL2Zucy10ZXN0cy5lbAppbmRleCA3ZDU2ZGE3N2NmLi41YmU5YTllYjdi
IDEwMDY0NAotLS0gYS90ZXN0L3NyYy9mbnMtdGVzdHMuZWwKKysrIGIvdGVzdC9zcmMvZm5zLXRl
c3RzLmVsCkBAIC04NTgsNCArODU4LDE5IEBAIHRlc3QtaGFzaC1mdW5jdGlvbi10aGF0LW11dGF0
ZXMtaGFzaC10YWJsZQogICAgICAgIChwdXRoYXNoIGsgayBoKSkpCiAgICAgKHNob3VsZCAoPSAx
MDAgKGhhc2gtdGFibGUtY291bnQgaCkpKSkpCiAKKyhlcnQtZGVmdGVzdCB0ZXN0LXNlY3VyZS1o
YXNoICgpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnbWQ1ICAgICJmb29iYXIiKSAi
Mzg1OGY2MjIzMGFjM2M5MTVmMzAwYzY2NDMxMmM2M2YiKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNl
Y3VyZS1oYXNoICdzaGExICAgImZvb2JhciIpICI4ODQzZDdmOTI0MTYyMTFkZTllYmI5NjNmZjRj
ZTI4MTI1OTMyODc4IikpCisgIChzaG91bGQgKGVxdWFsIChzZWN1cmUtaGFzaCAnc2hhMjI0ICJm
b29iYXIiKSAoY29uY2F0ICJkZTc2YzNlNTY3ZmNhOWQyNDZmNWY4ZDNiMmU3MDRhMyIKKyAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIjhjM2M1
ZTI1ODk4OGFiNTI1Zjk0MWRiOCIpKSkKKyAgKHNob3VsZCAoZXF1YWwgKHNlY3VyZS1oYXNoICdz
aGEyNTYgImZvb2JhciIpIChjb25jYXQgImMzYWI4ZmYxMzcyMGU4YWQ5MDQ3ZGQzOTQ2NmIzYzg5
IgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAiNzRlNTkyYzJmYTM4M2Q0YTM5NjA3MTRjYWVmMGM0ZjIiKSkpCisgIChzaG91bGQgKGVxdWFs
IChzZWN1cmUtaGFzaCAnc2hhMzg0ICJmb29iYXIiKSAoY29uY2F0ICIzYzljMzBkOWY2NjVlNzRk
NTE1Yzg0Mjk2MGQ0YTQ1MSIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgImM4M2EwMTI1ZmQzZGU3MzkyZDdiMzcyMzFhZjEwYzcyIgorICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZWE1
OGFlZGZjZGY4OWE1NzY1YmY5MDJhZjkzZWNmMDYiKSkpCisgIChzaG91bGQgKGVxdWFsIChzZWN1
cmUtaGFzaCAnc2hhNTEyICJmb29iYXIiKSAoY29uY2F0ICIwYTUwMjYxZWJkMWEzOTBmZWQyYmYz
MjZmMjY3M2MxNCIKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIjU1ODJhNjM0MmQ1MjMyMDQ5NzNkMDIxOTMzN2Y4MTYxIgorICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiNmE4MDY5YjAx
MjU4N2NmNTYzNWY2OTI1ZjFiNTZjMzYiCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICIwMjMwYzE5YjI3MzUwMGVlMDEzZTAzMDYwMWJmMjQy
NSIpKSkpCisKIChwcm92aWRlICdmbnMtdGVzdHMpCi0tIAoyLjIwLjEKCg==
--00000000000091ba7b0592b29828--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 20:34:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 16:34:21 2019
Received: from localhost ([127.0.0.1]:51147 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9xhV-0000L6-Kq
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 16:34:21 -0400
Received: from quimby.gnus.org ([80.91.231.51]:38546)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1i9xhT-0000Kv-SX
 for 37420 <at> debbugs.gnu.org; Mon, 16 Sep 2019 16:34:20 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1i9xhQ-00067f-91; Mon, 16 Sep 2019 22:34:18 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
 <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
Date: Mon, 16 Sep 2019 22:34:15 +0200
In-Reply-To: <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
 (Stefan Kangas's message of "Mon, 16 Sep 2019 22:29:43 +0200")
Message-ID: <87ef0grneg.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Stefan Kangas <stefan@HIDDEN> writes: > (I also changed
 so the doc strings consistently say SHA-1 instead of > SHA1, which seems
 to be more correct AFAICT.) Yup. 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Kangas <stefan@HIDDEN> writes:

> (I also changed so the doc strings consistently say SHA-1 instead of
> SHA1, which seems to be more correct AFAICT.)

Yup.


[...]

> +Note that SHA-1 is not collision resistant and should not be used
> +for anything security-related.  See `secure-hash' for
> +alternatives."

Looks good.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 20:30:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 16:30:04 2019
Received: from localhost ([127.0.0.1]:51139 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9xdL-0006ap-Jb
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 16:30:04 -0400
Received: from mail-pg1-f181.google.com ([209.85.215.181]:35955)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1i9xdI-0006ZJ-PX
 for 37420 <at> debbugs.gnu.org; Mon, 16 Sep 2019 16:30:01 -0400
Received: by mail-pg1-f181.google.com with SMTP id m29so642476pgc.3
 for <37420 <at> debbugs.gnu.org>; Mon, 16 Sep 2019 13:30:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=m3tMGiVwOV9IN1PX3CO9kN07KOkEvq/kgb7bI+ArZDg=;
 b=crLvXt4hjA/GsthYIi1pvSg8P418LV52Et1znQSEUNM+tdHYawltaraKDg3szz9DhB
 QKSI86tgA+DXOKwPEomp1gxZ/FYdahAYWlEfmYRs5Lzbbg+yi/SJhfg1CfA2ZrMLDhaa
 UEoOxBVT1/SdFJr94ldxVGId8DrIZftyqJF/n0pfvdPzzEwfG9Pt3ey5o9pRU8341WrM
 Lrd0jetHtiKUAEX90HSpDenUyI3JfDAqEYswY7ZksklDAVFTZKeEigP2ZiBGR6tMbUdy
 19gJn6rqY0tSdifSb36A8fYNmjSDI7/4kQ3Q+pMEbPSbwflgqhaPcAxG/rF8xQWqJn3d
 KHog==
X-Gm-Message-State: APjAAAXkdsBEg+ppakYgS/AfLM58ad+euSFt3UWQUQ5VkTHY2AJq3Ujf
 Y0alWApHvF4MDm+XWhW1k5vBMot1XVIt4b60Qus=
X-Google-Smtp-Source: APXvYqyvRuFDx7ywN3cWJg21emj35BgnVgkJAm95wVKxESUa43mIjZGumPyW8BqBiUeXm8JC0gOkUApgvDF6Ay+1d3I=
X-Received: by 2002:a17:90a:8d0c:: with SMTP id
 c12mr1087264pjo.119.1568665794762; 
 Mon, 16 Sep 2019 13:29:54 -0700 (PDT)
MIME-Version: 1.0
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 <87v9tsv65b.fsf@HIDDEN>
In-Reply-To: <87v9tsv65b.fsf@HIDDEN>
From: Stefan Kangas <stefan@HIDDEN>
Date: Mon, 16 Sep 2019 22:29:43 +0200
Message-ID: <CADwFkmnLsGMS2P44KyiLLH0sw_JAMpgmkpaBOC6_qCbQzRck3Q@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
To: Lars Ingebrigtsen <larsi@HIDDEN>
Content-Type: multipart/mixed; boundary="00000000000077fa7f0592b17751"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

--00000000000077fa7f0592b17751
Content-Type: text/plain; charset="UTF-8"

Lars Ingebrigtsen <larsi@HIDDEN> writes:

> > We should clarify that these attacks are not only theoretical, and
> > actively discourage using it in security-related applications in the
> > Elisp Manual.  The attached patch is an attempt at doing that.
>
> Looks good to me.

Thanks.  I thought a bit more about this, and would like to suggest
the attached slightly more ambitious patch which also recommends
against them in the doc strings of sha1, md5 and secure-hash.

(I also changed so the doc strings consistently say SHA-1 instead of
SHA1, which seems to be more correct AFAICT.)

Best regards,
Stefan Kangas

--00000000000077fa7f0592b17751
Content-Type: text/x-patch; charset="US-ASCII"; 
	name="0001-Recommend-against-SHA-1-and-MD5-for-security.patch"
Content-Disposition: attachment; 
	filename="0001-Recommend-against-SHA-1-and-MD5-for-security.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_k0mv0e1h0>
X-Attachment-Id: f_k0mv0e1h0

RnJvbSA5YTQ5ZmZiOGVjNWVkZTA1YmM2ZDcxMDAwNjZkOWVkYTdlZmRkZTQ2IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t
PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDEwOjQ1OjE0ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g
UmVjb21tZW5kIGFnYWluc3QgU0hBLTEgYW5kIE1ENSBmb3Igc2VjdXJpdHkKCiogZG9jL2xpc3By
ZWYvdGV4dC50ZXhpIChDaGVja3N1bS9IYXNoKToKKiBzcmMvZm5zLmMgKEZtZDUsIEZzZWN1cmVf
aGFzaCk6CiogbGlzcC9zdWJyLmVsIChzaGExKTogRG9jIGZpeCB0byByZWNvbW1lbmQgYWdhaW5z
dCBTSEEtMSBhbmQgTUQ1IGZvcgpzZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucywgc2luY2Ug
dGhleSBhcmUgbm90IGNvbGxpc2lvbgpyZXNpc3RhbnQuICAoQnVnIzM3NDIwKQotLS0KIGRvYy9s
aXNwcmVmL3RleHQudGV4aSB8IDEyICsrKysrKy0tLS0tLQogbGlzcC9zdWJyLmVsICAgICAgICAg
IHwgIDggKysrKysrLS0KIHNyYy9mbnMuYyAgICAgICAgICAgICB8IDExICsrKysrKysrKy0tCiAz
IGZpbGVzIGNoYW5nZWQsIDIxIGluc2VydGlvbnMoKyksIDEwIGRlbGV0aW9ucygtKQoKZGlmZiAt
LWdpdCBhL2RvYy9saXNwcmVmL3RleHQudGV4aSBiL2RvYy9saXNwcmVmL3RleHQudGV4aQppbmRl
eCA3Y2U1NGY1OWM2Li41NGI4OWNmZjVhIDEwMDY0NAotLS0gYS9kb2MvbGlzcHJlZi90ZXh0LnRl
eGkKKysrIGIvZG9jL2xpc3ByZWYvdGV4dC50ZXhpCkBAIC00NzEwLDEyICs0NzEwLDEyIEBAIENo
ZWNrc3VtL0hhc2gKIFNIQS0xLCBTSEEtMiwgU0hBLTIyNCwgU0hBLTI1NiwgU0hBLTM4NCBhbmQg
U0hBLTUxMi4gIE1ENSBpcyB0aGUKIG9sZGVzdCBvZiB0aGVzZSBhbGdvcml0aG1zLCBhbmQgaXMg
Y29tbW9ubHkgdXNlZCBpbiBAZGZue21lc3NhZ2UKIGRpZ2VzdHN9IHRvIGNoZWNrIHRoZSBpbnRl
Z3JpdHkgb2YgbWVzc2FnZXMgdHJhbnNtaXR0ZWQgb3ZlciBhCi1uZXR3b3JrLiAgTUQ1IGlzIG5v
dCBjb2xsaXNpb24gcmVzaXN0YW50IChpLmUuLCBpdCBpcyBwb3NzaWJsZSB0bwotZGVsaWJlcmF0
ZWx5IGRlc2lnbiBkaWZmZXJlbnQgcGllY2VzIG9mIGRhdGEgd2hpY2ggaGF2ZSB0aGUgc2FtZSBN
RDUKLWhhc2gpLCBzbyB5b3Ugc2hvdWxkIG5vdCB1c2VkIGl0IGZvciBhbnl0aGluZyBzZWN1cml0
eS1yZWxhdGVkLiAgQQotc2ltaWxhciB0aGVvcmV0aWNhbCB3ZWFrbmVzcyBhbHNvIGV4aXN0cyBp
biBTSEEtMS4gIFRoZXJlZm9yZSwgZm9yCi1zZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucyB5
b3Ugc2hvdWxkIHVzZSB0aGUgb3RoZXIgaGFzaCB0eXBlcywKLXN1Y2ggYXMgU0hBLTIuCituZXR3
b3JrLiAgTUQ1IGFuZCBTSEEtMSBhcmUgbm90IGNvbGxpc2lvbiByZXNpc3RhbnQgKGkuZS4sIGl0
IGlzCitwb3NzaWJsZSB0byBkZWxpYmVyYXRlbHkgZGVzaWduIGRpZmZlcmVudCBwaWVjZXMgb2Yg
ZGF0YSB3aGljaCBoYXZlCit0aGUgc2FtZSBNRDUgb3IgU0hBLTEgaGFzaCksIHNvIHlvdSBzaG91
bGQgbm90IHVzZSB0aGVtIGZvciBhbnl0aGluZworc2VjdXJpdHktcmVsYXRlZC4gIEZvciBzZWN1
cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucyB5b3Ugc2hvdWxkIHVzZQordGhlIG90aGVyIGhhc2gg
dHlwZXMsIHN1Y2ggYXMgU0hBLTIgKGUuZy4gQGNvZGV7c2hhMzg0fSBvcgorQGNvZGV7c2hhNTEy
fSkuCiAKIEBkZWZ1biBzZWN1cmUtaGFzaC1hbGdvcml0aG1zCiBUaGlzIGZ1bmN0aW9uIHJldHVy
bnMgYSBsaXN0IG9mIHN5bWJvbHMgcmVwcmVzZW50aW5nIGFsZ29yaXRobXMgdGhhdApkaWZmIC0t
Z2l0IGEvbGlzcC9zdWJyLmVsIGIvbGlzcC9zdWJyLmVsCmluZGV4IDBiNDdkYTg4NGIuLjQ1Yjk5
YTgyZDIgMTAwNjQ0Ci0tLSBhL2xpc3Avc3Vici5lbAorKysgYi9saXNwL3N1YnIuZWwKQEAgLTMx
MjAsMTEgKzMxMjAsMTUgQEAgZmllbGQtYXQtcG9zCiAgICAgICByYXctZmllbGQpKSkKIAogKGRl
ZnVuIHNoYTEgKG9iamVjdCAmb3B0aW9uYWwgc3RhcnQgZW5kIGJpbmFyeSkKLSAgIlJldHVybiB0
aGUgU0hBMSAoU2VjdXJlIEhhc2ggQWxnb3JpdGhtKSBvZiBhbiBPQkpFQ1QuCisgICJSZXR1cm4g
dGhlIFNIQS0xIChTZWN1cmUgSGFzaCBBbGdvcml0aG0pIG9mIGFuIE9CSkVDVC4KIE9CSkVDVCBp
cyBlaXRoZXIgYSBzdHJpbmcgb3IgYSBidWZmZXIuICBPcHRpb25hbCBhcmd1bWVudHMgU1RBUlQg
YW5kCiBFTkQgYXJlIGNoYXJhY3RlciBwb3NpdGlvbnMgc3BlY2lmeWluZyB3aGljaCBwb3J0aW9u
IG9mIE9CSkVDVCBmb3IKIGNvbXB1dGluZyB0aGUgaGFzaC4gIElmIEJJTkFSWSBpcyBub24tbmls
LCByZXR1cm4gYSBzdHJpbmcgaW4gYmluYXJ5Ci1mb3JtLiIKK2Zvcm0uCisKK05vdGUgdGhhdCBT
SEEtMSBpcyBub3QgY29sbGlzaW9uIHJlc2lzdGFudCBhbmQgc2hvdWxkIG5vdCBiZSB1c2VkCitm
b3IgYW55dGhpbmcgc2VjdXJpdHktcmVsYXRlZC4gIFNlZSBgc2VjdXJlLWhhc2gnIGZvcgorYWx0
ZXJuYXRpdmVzLiIKICAgKHNlY3VyZS1oYXNoICdzaGExIG9iamVjdCBzdGFydCBlbmQgYmluYXJ5
KSkKIAogKGRlZnVuIGZ1bmN0aW9uLWdldCAoZiBwcm9wICZvcHRpb25hbCBhdXRvbG9hZCkKZGlm
ZiAtLWdpdCBhL3NyYy9mbnMuYyBiL3NyYy9mbnMuYwppbmRleCBkZjkyMWUyOGYzLi4yMDA0N2Jl
NjNkIDEwMDY0NAotLS0gYS9zcmMvZm5zLmMKKysrIGIvc3JjL2Zucy5jCkBAIC01Mzc5LDcgKzUz
NzksMTAgQEAgREVGVU4gKCJtZDUiLCBGbWQ1LCBTbWQ1LCAxLCA1LCAwLAogY29tbWFuZCBgcHJl
ZmVyLWNvZGluZy1zeXN0ZW0nKSBpcyB1c2VkLgogCiBJZiBOT0VSUk9SIGlzIG5vbi1uaWwsIHNp
bGVudGx5IGFzc3VtZSB0aGUgYHJhdy10ZXh0JyBjb2RpbmcgaWYgdGhlCi1ndWVzc3dvcmsgZmFp
bHMuICBOb3JtYWxseSwgYW4gZXJyb3IgaXMgc2lnbmFsZWQgaW4gc3VjaCBjYXNlLiAgKi8pCitn
dWVzc3dvcmsgZmFpbHMuICBOb3JtYWxseSwgYW4gZXJyb3IgaXMgc2lnbmFsZWQgaW4gc3VjaCBj
YXNlLgorCitOb3RlIHRoYXQgTUQ1IGlzIG5vdCBjb2xsaXNpb24gcmVzaXN0YW50IGFuZCBzaG91
bGQgbm90IGJlIHVzZWQgZm9yCithbnl0aGluZyBzZWN1cml0eS1yZWxhdGVkLiAgU2VlIGBzZWN1
cmUtaGFzaCcgZm9yIGFsdGVybmF0aXZlcy4gICovKQogICAoTGlzcF9PYmplY3Qgb2JqZWN0LCBM
aXNwX09iamVjdCBzdGFydCwgTGlzcF9PYmplY3QgZW5kLCBMaXNwX09iamVjdCBjb2Rpbmdfc3lz
dGVtLCBMaXNwX09iamVjdCBub2Vycm9yKQogewogICByZXR1cm4gc2VjdXJlX2hhc2ggKFFtZDUs
IG9iamVjdCwgc3RhcnQsIGVuZCwgY29kaW5nX3N5c3RlbSwgbm9lcnJvciwgUW5pbCk7CkBAIC01
Mzk2LDcgKzUzOTksMTEgQEAgREVGVU4gKCJzZWN1cmUtaGFzaCIsIEZzZWN1cmVfaGFzaCwgU3Nl
Y3VyZV9oYXNoLCAyLCA1LCAwLAogCiBUaGUgZnVsbCBsaXN0IG9mIGFsZ29yaXRobXMgY2FuIGJl
IG9idGFpbmVkIHdpdGggYHNlY3VyZS1oYXNoLWFsZ29yaXRobXMnLgogCi1JZiBCSU5BUlkgaXMg
bm9uLW5pbCwgcmV0dXJucyBhIHN0cmluZyBpbiBiaW5hcnkgZm9ybS4gICovKQorSWYgQklOQVJZ
IGlzIG5vbi1uaWwsIHJldHVybnMgYSBzdHJpbmcgaW4gYmluYXJ5IGZvcm0uCisKK05vdGUgdGhh
dCBNRDUgYW5kIFNIQS0xIGFyZSBub3QgY29sbGlzaW9uIHJlc2lzdGFudCBhbmQgc2hvdWxkIG5v
dCBiZQordXNlZCBmb3IgYW55dGhpbmcgc2VjdXJpdHktcmVsYXRlZC4gIFVzZSBvbmUgb2YgdGhl
IG90aGVyIGhhc2ggdHlwZXMKK2ZvciBzZWN1cml0eS1yZWxhdGVkIGFwcGxpY2F0aW9ucy4gICov
KQogICAoTGlzcF9PYmplY3QgYWxnb3JpdGhtLCBMaXNwX09iamVjdCBvYmplY3QsIExpc3BfT2Jq
ZWN0IHN0YXJ0LCBMaXNwX09iamVjdCBlbmQsIExpc3BfT2JqZWN0IGJpbmFyeSkKIHsKICAgcmV0
dXJuIHNlY3VyZV9oYXNoIChhbGdvcml0aG0sIG9iamVjdCwgc3RhcnQsIGVuZCwgUW5pbCwgUW5p
bCwgYmluYXJ5KTsKLS0gCjIuMjAuMQoK
--00000000000077fa7f0592b17751--




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at 37420 <at> debbugs.gnu.org:


Received: (at 37420) by debbugs.gnu.org; 16 Sep 2019 11:21:14 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 07:21:14 2019
Received: from localhost ([127.0.0.1]:49305 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9p4B-0004WJ-M0
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 07:21:11 -0400
Received: from quimby.gnus.org ([80.91.231.51]:56148)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <larsi@HIDDEN>) id 1i9p49-0004WA-Jl
 for 37420 <at> debbugs.gnu.org; Mon, 16 Sep 2019 07:21:10 -0400
Received: from cm-84.212.202.86.getinternet.no ([84.212.202.86] helo=marnie)
 by quimby.gnus.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.89) (envelope-from <larsi@HIDDEN>)
 id 1i9p44-0007us-QR; Mon, 16 Sep 2019 13:21:07 +0200
From: Lars Ingebrigtsen <larsi@HIDDEN>
To: Stefan Kangas <stefan@HIDDEN>
Subject: Re: bug#37420: [PATCH] Recommend against SHA-1 for security-related
 applications
References: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
Date: Mon, 16 Sep 2019 13:21:04 +0200
In-Reply-To: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
 (Stefan Kangas's message of "Mon, 16 Sep 2019 10:53:27 +0200")
Message-ID: <87v9tsv65b.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Report: Spam detection software, running on the system "quimby.gnus.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 @@CONTACT_ADDRESS@@ for details.
 Content preview: Stefan Kangas <stefan@HIDDEN> writes: > We should clarify
 that these attacks are not only theoretical, and > actively discourage using
 it in security-related applications in the > Elisp Manual. The attached patch
 is an attempt at doing th [...] 
 Content analysis details:   (-2.9 points, 5.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 37420
Cc: 37420 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Kangas <stefan@HIDDEN> writes:

> We should clarify that these attacks are not only theoretical, and
> actively discourage using it in security-related applications in the
> Elisp Manual.  The attached patch is an attempt at doing that.

Looks good to me.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 16 Sep 2019 08:53:44 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 16 04:53:44 2019
Received: from localhost ([127.0.0.1]:49170 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1i9mlU-0007B0-8F
	for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 04:53:44 -0400
Received: from lists.gnu.org ([209.51.188.17]:42563)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1i9mlS-0007At-Qx
 for submit <at> debbugs.gnu.org; Mon, 16 Sep 2019 04:53:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:34043)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <stefankangas@HIDDEN>) id 1i9mlR-0006Cj-FH
 for bug-gnu-emacs@HIDDEN; Mon, 16 Sep 2019 04:53:42 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: **
X-Spam-Status: No, score=2.9 required=5.0 tests=BAYES_50,FREEMAIL_FROM,
 RCVD_IN_DNSWL_NONE,SPOOFED_FREEMAIL autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <stefankangas@HIDDEN>) id 1i9mlQ-000465-2x
 for bug-gnu-emacs@HIDDEN; Mon, 16 Sep 2019 04:53:41 -0400
Received: from mail-pl1-f177.google.com ([209.85.214.177]:44671)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <stefankangas@HIDDEN>)
 id 1i9mlP-00041h-RF
 for bug-gnu-emacs@HIDDEN; Mon, 16 Sep 2019 04:53:40 -0400
Received: by mail-pl1-f177.google.com with SMTP id k1so16618904pls.11
 for <bug-gnu-emacs@HIDDEN>; Mon, 16 Sep 2019 01:53:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=pYOLBXx6bPFJgqX9GeJDqB7Fb8wpeFyHgunwQq7PMaU=;
 b=fr98pwRhIz2SA2/Fs1nWp5AXz9ohGf5cbiMSvf9HuBy7Jgr2mWnmfx0pUSCL3L54n1
 eU1PwnqtCW4QteY01DYbeF4li0K/pKGRChJ7T1KABOnsIVL0Keiv8WuPLNMXPaPny2yY
 h5oTESXPLah/5BzRwfCcAeGKVebWhOZZpv2OqmNaAp5Bgfb2FpBG0xCcS75kL5rJFVes
 zWtK17FEJqTLEtw56nrAvwarrNuLLDlsIF0tfVY0MxnvSqPhWvlI5pI6+Pgqgri3PTAa
 t6UMXLrPg7dxmZUfPmBrdMXZauDv5a/2GHTK8cLNVUykt/LIogg31tE4QsioSvTfWTKM
 p6Ww==
X-Gm-Message-State: APjAAAU7Kidh04MkMDIYuOahEYaR5iYWrOy21/z2YSGbjhp0/ctXdW7K
 S2u+LRFxV+jiHDD18j2Nt1Ca7xYtlod/4EH/976gOJ+G7f8=
X-Google-Smtp-Source: APXvYqwZ0ndTVWfN8LGjycLJTUIakbQjv9QVHMY+CeWBdYewpAXt//oaCkBdlMf3Z9S02UrIzx2qWZbt9NGJK4SKbQ4=
X-Received: by 2002:a17:902:326:: with SMTP id
 35mr64316024pld.128.1568624018545; 
 Mon, 16 Sep 2019 01:53:38 -0700 (PDT)
MIME-Version: 1.0
From: Stefan Kangas <stefan@HIDDEN>
Date: Mon, 16 Sep 2019 10:53:27 +0200
Message-ID: <CADwFkmmdMPd_yVSxfGWU0X19F_kEQvcscZ6YLRs66AVyiXhV9g@HIDDEN>
Subject: [PATCH] Recommend against SHA-1 for security-related applications
To: bug-gnu-emacs@HIDDEN
Content-Type: multipart/mixed; boundary="00000000000069d6310592a7bd9a"
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-Received-From: 209.85.214.177
X-Spam-Score: 1.3 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: SHA-1 has now seen collision attacks:
 https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/
 We should clarify that these attacks are not only theoretical, and actively
 discourage using it in security-related applications in the Elisp Manual.
 The attached patch is an attempt at doing that. 
 Content analysis details:   (1.3 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider (stefankangas[at]gmail.com)
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and
 EnvelopeFrom freemail headers are different
 2.1 SPOOFED_FREEMAIL       No description available.
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.3 (/)

--00000000000069d6310592a7bd9a
Content-Type: text/plain; charset="UTF-8"

SHA-1 has now seen collision attacks:
https://www.zdnet.com/article/sha-1-collision-attacks-are-now-actually-practical-and-a-looming-danger/

We should clarify that these attacks are not only theoretical, and
actively discourage using it in security-related applications in the
Elisp Manual.  The attached patch is an attempt at doing that.

Any comments?

Best regards,
Stefan Kangas

--00000000000069d6310592a7bd9a
Content-Type: text/x-patch; charset="US-ASCII"; 
	name="0001-Recommend-against-SHA-1-for-security-related-applica.patch"
Content-Disposition: attachment; 
	filename="0001-Recommend-against-SHA-1-for-security-related-applica.patch"
Content-Transfer-Encoding: base64
Content-ID: <f_k0m6617o0>
X-Attachment-Id: f_k0m6617o0

RnJvbSA1M2E0MjQ3MDYwNGUzZGI2ZTJmMDU1MmViMzQ4MWZhNjRhODUzNDU4IE1vbiBTZXAgMTcg
MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t
PgpEYXRlOiBNb24sIDE2IFNlcCAyMDE5IDEwOjQ1OjE0ICswMjAwClN1YmplY3Q6IFtQQVRDSF0g
UmVjb21tZW5kIGFnYWluc3QgU0hBLTEgZm9yIHNlY3VyaXR5LXJlbGF0ZWQgYXBwbGljYXRpb25z
CgoqIGRvYy9saXNwcmVmL3RleHQudGV4aSAoQ2hlY2tzdW0vSGFzaCk6IENsYXJpZnkgdGhhdCBT
SEEtMSBpcyBub3QKY29sbGlzaW9uIHJlc2lzdGFudC4KLS0tCiBkb2MvbGlzcHJlZi90ZXh0LnRl
eGkgfCAxMiArKysrKystLS0tLS0KIDEgZmlsZSBjaGFuZ2VkLCA2IGluc2VydGlvbnMoKyksIDYg
ZGVsZXRpb25zKC0pCgpkaWZmIC0tZ2l0IGEvZG9jL2xpc3ByZWYvdGV4dC50ZXhpIGIvZG9jL2xp
c3ByZWYvdGV4dC50ZXhpCmluZGV4IDdjZTU0ZjU5YzYuLjk0OTc5N2MzZWYgMTAwNjQ0Ci0tLSBh
L2RvYy9saXNwcmVmL3RleHQudGV4aQorKysgYi9kb2MvbGlzcHJlZi90ZXh0LnRleGkKQEAgLTQ3
MTAsMTIgKzQ3MTAsMTIgQEAgQ2hlY2tzdW0vSGFzaAogU0hBLTEsIFNIQS0yLCBTSEEtMjI0LCBT
SEEtMjU2LCBTSEEtMzg0IGFuZCBTSEEtNTEyLiAgTUQ1IGlzIHRoZQogb2xkZXN0IG9mIHRoZXNl
IGFsZ29yaXRobXMsIGFuZCBpcyBjb21tb25seSB1c2VkIGluIEBkZm57bWVzc2FnZQogZGlnZXN0
c30gdG8gY2hlY2sgdGhlIGludGVncml0eSBvZiBtZXNzYWdlcyB0cmFuc21pdHRlZCBvdmVyIGEK
LW5ldHdvcmsuICBNRDUgaXMgbm90IGNvbGxpc2lvbiByZXNpc3RhbnQgKGkuZS4sIGl0IGlzIHBv
c3NpYmxlIHRvCi1kZWxpYmVyYXRlbHkgZGVzaWduIGRpZmZlcmVudCBwaWVjZXMgb2YgZGF0YSB3
aGljaCBoYXZlIHRoZSBzYW1lIE1ENQotaGFzaCksIHNvIHlvdSBzaG91bGQgbm90IHVzZWQgaXQg
Zm9yIGFueXRoaW5nIHNlY3VyaXR5LXJlbGF0ZWQuICBBCi1zaW1pbGFyIHRoZW9yZXRpY2FsIHdl
YWtuZXNzIGFsc28gZXhpc3RzIGluIFNIQS0xLiAgVGhlcmVmb3JlLCBmb3IKLXNlY3VyaXR5LXJl
bGF0ZWQgYXBwbGljYXRpb25zIHlvdSBzaG91bGQgdXNlIHRoZSBvdGhlciBoYXNoIHR5cGVzLAot
c3VjaCBhcyBTSEEtMi4KK25ldHdvcmsuICBNRDUgYW5kIFNIQS0xIGFyZSBub3QgY29sbGlzaW9u
IHJlc2lzdGFudCAoaS5lLiwgaXQgaXMKK3Bvc3NpYmxlIHRvIGRlbGliZXJhdGVseSBkZXNpZ24g
ZGlmZmVyZW50IHBpZWNlcyBvZiBkYXRhIHdoaWNoIGhhdmUKK3RoZSBzYW1lIE1ENSBvciBTSEEt
MSBoYXNoKSwgc28geW91IHNob3VsZCBub3QgdXNlIHRoZW0gZm9yIGFueXRoaW5nCitzZWN1cml0
eS1yZWxhdGVkLiAgRm9yIHNlY3VyaXR5LXJlbGF0ZWQgYXBwbGljYXRpb25zIHlvdSBzaG91bGQg
dXNlCit0aGUgb3RoZXIgaGFzaCB0eXBlcywgc3VjaCBhcyBTSEEtMiAoQGNvZGV7c2hhMjI0fSwg
QGNvZGV7c2hhMjU2fSwKK0Bjb2Rle3NoYTM4NH0gb3IgQGNvZGV7c2hhNTEyfSkuCiAKIEBkZWZ1
biBzZWN1cmUtaGFzaC1hbGdvcml0aG1zCiBUaGlzIGZ1bmN0aW9uIHJldHVybnMgYSBsaXN0IG9m
IHN5bWJvbHMgcmVwcmVzZW50aW5nIGFsZ29yaXRobXMgdGhhdAotLSAKMi4yMC4xCgo=
--00000000000069d6310592a7bd9a--




Acknowledgement sent to Stefan Kangas <stefan@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#37420; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 20 Sep 2019 19:00:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.