On Tue, Nov 14, 2017 at 11:47 AM, Todd Zullinger <[email protected]> wrote:
>
> Hi Shawn,
>
> Shawn Landden wrote:
>>
>> I think this is preferrable to bringing the assembly routines into the git
>> code-base, as a way of getting access to these high-performance routines to
>> a git available in Debian, Ubuntu, or Fedora (which all use BLK_SHA1=1 due
>> to GPLv2 + OpenSSL license considerations, see Debian Bug #879459).
>
>
> While it seems like it could be useful to have the choice of using the fast
> SHA1 implementation without concern about licensing issues, there's a few
> details I thought were worth mentioning.
>
> Fedora moved from OpenSSL SHA1 to BLK_SHA1 to reduce the size of the binaries
> and dependencies, not due to licensing issues (Fedora considers OpenSSL a
> system library and allows linking GPLv2 code).
>
> Fedora now uses the default DC_SHA1 (the collision-detecting SHA1
> implementation). DC_SHA1 is not, as far as I know, as fast as the
> OpenSSL/GnuTLS SHA1, but it's safer given the increasingly successful attacks
> against SHA1. I don't envision changing that to gain performance. (And, of
> course, the speed of SHA1 should become less of an issue once git moves to a
> new, stronger hash.)
>
> It looks like the Debian packages use the default DC_SHA1 implementation as
> well. Regardless of the licensing concerns regarding OpenSSL in Debian, I
> suspect they'll want to use the default, collision-detecting SHA1
> implementation. That doesn't mean a patch to add the option of GnuTLS isn't
> useful though.
>
> Fedora does link with OpenSSL's libcrypto and libssl in Fedora for the
> remote-curl helpers and imap-send. I believe the remote-curl helpers just
> link with curl, which happens to use OpenSSL on Fedora and could use GnuTLS
> instead. The imap-send command might also use curl and whatever crypto
> library curl is built with too, but I'm not terribly familiar with imap-send.
> (I think those are the only uses of libcrypto or libssl in Fedora's packages,
> but I could be mistaken).
>
> That's a lot of text without having anything to say about the actual patch.
> Hopefully it's at least mildly useful to you or others. :)
It is all appreciated. I just want to make note that I am still
interested in getting this patch in.
