Source: libnet-openid-server-perl
Version: 1.02-1
Severity: normal
User: [email protected]
Usertags: digest-sha-perl-transition

Hi Dominic

We from the Debian Perl Group -- as you might read already -- would
like to drop libdigest-sha1-perl at some point, see [1]. Most of the
functionality (except sha1_transform) of Digest::SHA1 is also provided
by Digest::SHA.

Digest::SHA is in Perl core since version 5.9.3 and thus is in
Debian's perl since Lenny.

Changing use of Digest::SHA1 to Digest::SHA would thus reduce external
dependencies by one.

 [1] http://deb.li/digestsha

This seems indeed "fixed" in developer release upstream, or adapted upstream in
version 1.030099_001:

1.030099_001 Nov 06 2010

    * Use Crypt::DH::GMP over Crypt::DH for speed (Robert Norris)

    * Set mode and claimed_id before redirect to setup in checkid_immediate.
      Without this some implementations (Movable Type) do not have enough
      context to understand what the client is trying to do (Adam Sjøgren)

    * Fix potential timing attack when checking signatures (Adam Sjøgren)
      (see 
http://lists.openid.net/pipermail/openid-security/2010-July/001156.html)

    * Support HMAC-SHA256 signatures (Adam Sjøgren)
    
    * Merge get_args and post_args into single 'args' parameter. get_args &
      post_args remain as deprecated parameters (Martin Atkins, Robert Norris)

With adding support for HMAC-SHA256 they changed module to use
Digest::SHA.

Would it be possible to update package version to this, if upstream
does not release new version in near future?

Bests,
Salvatore

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to