From owner-svn-src-head@freebsd.org Wed May 22 13:11:12 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 89F3C15ABCF3; Wed, 22 May 2019 13:11:12 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1ACC785253; Wed, 22 May 2019 13:11:12 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (Seawolf.HML3.ScaleEngine.net [209.51.186.28]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id D258F19E94; Wed, 22 May 2019 13:11:10 +0000 (UTC) Subject: Re: svn commit: r348073 - head/lib/libmd To: rgrimes@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org References: <201905212303.x4LN3bMd081422@gndrsh.dnsmgr.net> From: Allan Jude Openpgp: preference=signencrypt Autocrypt: addr=allanjude@freebsd.org; prefer-encrypt=mutual; keydata= mQINBFVwZcYBEADwrZDH0xe0ZVjc9ORCc6PcBLwS/RTXA6NkvpD6ea02pZ8lPOVgteuuugFc D34LdDbiWr+479vfrKBh+Y38GL0oZ0/13j10tIlDMHSa5BU0y6ACtnhupFvVlQ57+XaJAb/q 7qkfSiuxVwQ3FY3PL3cl1RrIP5eGHLA9hu4eVbu+FOX/q/XVKz49HaeIaxzo2Q54572VzIo6 C28McX9m65UL5fXMUGJDDLCItLmehZlHsQQ+uBxvODLFpVV2lUgDR/0rDa0B9zHZX8jY8qQ7 ZdCSy7CwClXI054CkXZCaBzgxYh/CotdI8ezmaw7NLs5vWNTxaDEFXaFMQtMVhvqQBpHkfOD 7rjjOmFw00nJL4FuPE5Yut0CPyx8vLjVmNJSt/Y8WxxmhutsqJYFgYfWl/vaWkrFLur/Zcmz IklwLw35HLsCZytCN5A3rGKdRbQjD6QPXOTJu0JPrJF6t2xFkWAT7oxnSV0ELhl2g+JfMMz2 Z1PDmS3NRnyEdqEm7NoRGXJJ7bgxDbN+9SXTyOletqGNXj/bSrBvhvZ0RQrzdHAPwQUfVSU2 qBhQEi2apSZstgVNMan0GUPqCdbE2zpysg+zT7Yhvf9EUQbzPL4LpdK1llT9fZbrdMzEXvEF oSvwJFdV3sqKmZc7b+E3PuxK6GTsKqaukd/3Cj8aLHG1T1im1QARAQABtCJBbGxhbiBKdWRl IDxhbGxhbmp1ZGVAZnJlZWJzZC5vcmc+iQI/BBMBAgApBQJVcGXGAhsjBQkSzAMABwsJCAcD AgEGFQgCCQoLBBYCAwECHgECF4AACgkQGZU1PhKYC34Muw/+JOKpSfhhysWFYiRXynGRDe07 Z6pVsn7DzrPUMRNZfHu8Uujmmy3p2nx9FelIY9yjd2UKHhug+whM54MiIFs90eCRVa4XEsPR 4FFAm0DAWrrb7qhZFcE/GhHdRWpZ341WAElWf6Puj2devtRjfYbikvj5+1V1QmDbju7cEw5D mEET44pTuD2VMRJpu2yZZzkM0i+wKFuPxlhqreufA1VNkZXI/rIfkYWK+nkXd9Efw3YdCyCQ zUgTUCb88ttSqcyhik/li1CDbXBpkzDCKI6I/8fAb7jjOC9LAtrZJrdgONywcVFoyK9ZN7EN AVA+xvYCmuYhR/3zHWH1g4hAm1v1+gIsufhajhfo8/wY1SetlzPaYkSkVQLqD8T6zZyhf+AN bC7ci44UsiKGAplB3phAXrtSPUEqM86kbnHg3fSx37kWKUiYNOnx4AC2VXvEiKsOBlpyt3dw WQbOtOYM+vkfbBwDtoGOOPYAKxc4LOIt9r+J8aD+gTooi9Eo5tvphATf9WkCpl9+aaGbSixB tUpvQMRnSMqTqq4Z7DeiG6VMRQIjsXDSLJEUqcfhnLFo0Ko/RiaHd5xyAQ4DhQ9QpkyQjjNf /3f/dYG7JAtoD30txaQ5V8uHrz210/77DRRX+HJjEj6xCxWUGvQgvEZf5XXyxeePvqZ+zQyT DX61bYw6w6a5Ag0EVXBlxgEQAMy7YVnCCLN4oAOBVLZ5nUbVPvpUhsdA94/0/P+uqCIh28Cz ar56OCX0X19N/nAWecxL4H32zFbIRyDB2V/MEh4p9Qvyu/j4i1r3Ex5GhOT2hnit43Ng46z5 29Es4TijrHJP4/l/rB2VOqMKBS7Cq8zk1cWqaI9XZ59imxDNjtLLPPM+zQ1yE3OAMb475QwN UgWxTMw8rkA7CEaqeIn4sqpTSD5C7kT1Bh26+rbgJDZ77D6Uv1LaCZZOaW52okW3bFbdozV8 yM2u+xz2Qs8bHz67p+s+BlygryiOyYytpkiK6Iy4N7FTolyj5EIwCuqzfk0SaRHeOKX2ZRjC qatkgoD/t13PNT38V9tw3qZVOJDS0W6WM8VSg+F+bkM9LgJ8CmKV+Hj0k3pfGfYPOZJ/v18i +SmZmL/Uw2RghnwDWGAsPCKu4uZR777iw7n9Io6Vfxndw2dcS0e9klvFYoaGS6H2F13Asygr WBzFNGFQscN4mUW+ZYBzpTOcHkdT7w8WS55BmXYLna+dYer9/HaAuUrONjujukN4SPS1fMJ2 /CS/idAUKyyVVX5vozoNK2JVC1h1zUAVsdnmhEzNPsvBoqcVNfyqBFROEVLIPwq+lQMGNVjH ekLTKRWf59MEhUC2ztjSKkGmwdg73d6xSXMuq45EgIJV2wPvOgWQonoHH/kxABEBAAGJAiUE GAECAA8FAlVwZcYCGwwFCRLMAwAACgkQGZU1PhKYC34w5A//YViBtZyDV5O+SJT9FFO3lb9x Zdxf0trA3ooCt7gdBkdnBM6T5EmjgVZ3KYYyFfwXZVkteuCCycMF/zVw5eE9FL1+zz9gg663 nY9q2F77TZTKXVWOLlOV2bY+xaK94U4ytogOGhh9b4UnQ/Ct3+6aviCF78Go608BXbmF/GVT 7uhddemk7ItxM1gE5Hscx3saxGKlayaOsdPKeGTVJCDEtHDuOc7/+jGh5Zxpk/Hpi+DUt1ot 8e6hPYLIQa4uVx4f1xxxV858PQ7QysSLr9pTV7FAQ18JclCaMc7JWIa3homZQL/MNKOfST0S 2e+msuRwQo7AnnfFKBUtb02KwpA4GhWryhkjUh/kbVc1wmGxaU3DgXYQ5GV5+Zf4kk/wqr/7 KG0dkTz6NLCVLyDlmAzuFhf66DJ3zzz4yIo3pbDYi3HB/BwJXVSKB3Ko0oUo+6/qMrOIS02L s++QE/z7K12CCcs7WwOjfCYHK7VtE0Sr/PfybBdTbuDncOuAyAIeIKxdI2nmQHzl035hhvQX s4CSghsP319jAOQiIolCeSbTMD4QWMK8RL/Pe1FI1jC3Nw9s+jq8Dudtbcj2UwAP/STUEbJ9 5rznzuuhPjE0e++EU/RpWmcaIMK/z1zZDMN+ce2v1qzgV936ZhJ3iaVzyqbEE81gDxg3P+IM kiYh4ZtPB4Q= Message-ID: Date: Wed, 22 May 2019 09:11:06 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <201905212303.x4LN3bMd081422@gndrsh.dnsmgr.net> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3BoRBk4dGJi2pjtPiUsIpwHBIUSXw6UF5" X-Rspamd-Queue-Id: 1ACC785253 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.94 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.94)[-0.944,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 May 2019 13:11:12 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3BoRBk4dGJi2pjtPiUsIpwHBIUSXw6UF5 Content-Type: multipart/mixed; boundary="CXgCs5BHiKKJpNbRVX8o4ctM0P9GHf0JJ"; protected-headers="v1" From: Allan Jude To: rgrimes@freebsd.org Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Message-ID: Subject: Re: svn commit: r348073 - head/lib/libmd References: <201905212303.x4LN3bMd081422@gndrsh.dnsmgr.net> In-Reply-To: <201905212303.x4LN3bMd081422@gndrsh.dnsmgr.net> --CXgCs5BHiKKJpNbRVX8o4ctM0P9GHf0JJ Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 2019-05-21 19:03, Rodney W. Grimes wrote: >> Author: allanjude >> Date: Tue May 21 22:17:00 2019 >> New Revision: 348073 >> URL: https://svnweb.freebsd.org/changeset/base/348073 >> >> Log: >> Add admonitions against using MD5 and SHA1 to the API man pages >> >> Modified: >> head/lib/libmd/mdX.3 >> head/lib/libmd/sha.3 >> >> Modified: head/lib/libmd/mdX.3 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/lib/libmd/mdX.3 Tue May 21 22:11:53 2019 (r348072) >> +++ head/lib/libmd/mdX.3 Tue May 21 22:17:00 2019 (r348073) >> @@ -208,6 +208,8 @@ This code is derived directly from these implement= atio >> .Pp >> Phk ristede runen. >> .Sh BUGS >> -No method is known to exist which finds two files having the same has= h value, >> -nor to find a file with a specific hash value. >> -There is on the other hand no guarantee that such a method does not e= xist. >> +The >> +.Tn MD5 >=20 > There needs to be a discussion about .Tn, some people are ripping > them out of man pages, others are adding them. mandoc is a semantic > mark up language, .Tn gives the following word the semantic of being > a Tradename. >=20 > Yes, I know, mandoc ignroes them BUTT other tools do not, mandoc is > not the end all in what can process our man pages, groff/troff should > still be able to produce photo typesetter output and the .Tn's look > nice when you do that. >=20 > I would like to see that we stop removing them and infact, as this > man page does, properly recognize trademarks/names in our man pages > "as is often required by law." >=20 > Now, one final nit, I can neither verify nor deny that "MD5" is > a tradename. >=20 >> +algorithm has been proven to be vulnerable to practical collision >> +attacks and should not be relied upon to produce unique outputs, >> +.Em nor should they be used as part of a cryptographic signature sche= me. >> >> Modified: head/lib/libmd/sha.3 >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/lib/libmd/sha.3 Tue May 21 22:11:53 2019 (r348072) >> +++ head/lib/libmd/sha.3 Tue May 21 22:17:00 2019 (r348073) >> @@ -191,9 +191,11 @@ published >> .Tn FIPS >> standards. >> .Sh BUGS >> -No method is known to exist which finds two files having the same has= h value, >> -nor to find a file with a specific hash value. >> -There is on the other hand no guarantee that such a method does not e= xist. >> +The >> +.Tn SHA1 >> +algorithm has been proven to be vulnerable to practical collision >> +attacks and should not be relied upon to produce unique outputs, >> +.Em nor should they be used as part of a cryptographic signature sche= me. >> .Pp >> The >> .Tn IA32 >> >> >=20 I borrowed the message (with .Tn markup) from the md5(1) man page, and just added it to the library reference man pages since they said 'No method is known to exist which finds two files having the same hash value' which has not been true in a while. I did not spend any effort deciding which markup to use there, as I don't think MD5 or SHA1 are tradenames, just acronyms. --=20 Allan Jude --CXgCs5BHiKKJpNbRVX8o4ctM0P9GHf0JJ-- --3BoRBk4dGJi2pjtPiUsIpwHBIUSXw6UF5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJc5UpuAAoJEBmVNT4SmAt+BfoP+wRmgomDHpFGbcqCufhkMuPD zm81SjiK3Yce9sYAHKDffejoOnPPoahMlcPCPLfL4Yr00TK41j1tnbALm3p67Jh0 mowaLUCmj4r1XvaYCeEWDVEzVOUXmenCo/KPC4aFuGnjJmlsP4bFPx2pCJi1QoTd kYgAYTG2N3VrkHDUneQV7WqmJh0+JVlJxwVoWigXTkjlRo/hATRroBhw45JFj8oo QzI7hl5X6ThglaluJAkpYEOQcPOBzMKCDScwqdZImYr2Hkf1BwpFSySmsf20zimA 5F33ebv7Wv2e8zBpI9wji58vr+CCtOUN4NnpXw29XRl6u+97z8jXBWxboocG92cJ 4JEt4zeI1Rprwphkn5SSes8WPb0FjWYe04tBLTsSKVFokMb05v3B0zp9Ofa4q8qI COGqABicQ+SH1qr0+43xeqc0HyHW2YmE/InOtj3nRYNKsffYs6GRUe2Cg63ET5RC 13YyLIHGo0mkn8XylyqsmqRC947tshoLc2M6mzzqZpDFqbyXbxrdCQrcFRqozbtt 48/tIZzFHz1GBUB++RTi99Fy7luon8On2WUy+jyqY43WzSze0lfoNe5LvfqXvtr6 +AQwotytelfpu6AwuMClRmzNXlyn6t05F9QxgvJhfEXaOYrb9eL5MJpK2s0LYZWU cMZRjGt1hH52XZRBlqzP =N3oy -----END PGP SIGNATURE----- --3BoRBk4dGJi2pjtPiUsIpwHBIUSXw6UF5--