(original) (raw)
Yes, this is a serious issue -- we are totally dependent on openssl
for computing MD5 checksums. Several modules use MD5 checksums
casually, and it's not good that these fail when openssl isn't
available (or if it's too old, like what happened on an ancient Red
Hat 7.3 system I have at home). I'm tempted to put the old
RSA-copyrighted
md5.c back in as a fallback, even though its license
is impopular. Or perhaps we could make a copy of a small fraction of
openssl and use that? I think MD5 is the only one that's popular
enough to warrant this treatment; I think SHA1 is a distant second.
Every OS I use has openssl installed so i figured someone else had made the same decision and removed the non-openssl variants. Are there really non-linux/bsd/osx installations out there where anyone intends to build and install python that do -not- have openssl installed somewhere? That'd be sad but in that case we shouldn't abandon them. Modifying setup.py to find it installed in a different place should be easy if thats all it takes.
Rather than resurrecting the old RSA-copyright md5.c I can easily make new ones out of the libtomcrypt md5 and sha1 sources the same way i created the non-openssl sha256 and sha512 modules.
We should not limit ourselves to only md5 if we do that, lets guarantee that md5, sha1 - sha512 are available on all future python installs; its not difficult. I'll do the work if we need it.
-gps