Diary of a geek

January 2010
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Saturday, 23 January 2010

elfsign's days may be numbered

There's a release critical bug (that severity is debateable, in my opinion) in elfsign, a package I maintain.

It seems to my casual observation, that switching it to generate SHA1 signatures wouldn't be too hard, given it's using OpenSSL, and OpenSSL has a sha.h file. I really wouldn't know where to start, though, and ideally it should continue to verify existing MD5 signatures, so it's more than just changing an include and a few function calls.

To boot, upstream seems to have disappeared, so it's looking like removal is the best option. The popcon numbers for this package aren't very high either, which is another nail in the coffin.

So if someone reading this cares about elfsign in Debian enough to send me a patch to use SHA1 in the next month or so, I won't file a removal request.

[23:36] [debian] [permalink]