Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Fri, 7 Jul 2006, George Danchev wrote: ...[deleted] > > /** > > * This software contains an ad hoc version of the 'Alleged RC4' algorithm, > > * which was anonymously posted on sci.crypt news by cypherpunks on Sep > > 1994. * > > * My implementation is a complete rewritten of the one found in > > We have a little typo here ... s/rewritten/rewrite/ Fixed. > > > * an unknown-copyright (283 characters) version picked up from: > > *From: [EMAIL PROTECTED] (John L. Allen) > > *Newsgroups: comp.lang.c > > *Subject: Shrink this C code for fame and fun > > *Date: 21 May 1996 10:49:37 -0400 > > * And it is licensed also under GPL. > > */ > > Looks pretty good to me. > > Alexander, > > What do you think ? Comments ? I will prepare a 3.8.6 package when it > gets > done and released upstream. Done. http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.6.tgz > -- Saludos Fran - Francisco Rosales García <[EMAIL PROTECTED]> TEL: +34 91 336 73 80 http://www.datsi.fi.upm.es/~frosalFAX: +34 91 336 73 73 Departamento de Arquitectura y Tecnología de Sistemas Informáticos. Facultad de Informática. Universidad Politécnica de Madrid. España.
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Friday 07 July 2006 18:54, Francisco Rosales wrote: --cut-- Hi, > > I would add 'and is licensed also under GPL' or you think it is far too > > much as clarification. > > No problem. Thanks for your time. I really appreciate that ! > Please, check the file: > http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.6_shc.c.gz > > It contains the following message and the previous messages have > been removed. Please, check the file an tell me if it is all right. > > /** > * This software contains an ad hoc version of the 'Alleged RC4' algorithm, > * which was anonymously posted on sci.crypt news by cypherpunks on Sep > 1994. * > * My implementation is a complete rewritten of the one found in We have a little typo here ... s/rewritten/rewrite/ > * an unknown-copyright (283 characters) version picked up from: > *From: [EMAIL PROTECTED] (John L. Allen) > *Newsgroups: comp.lang.c > *Subject: Shrink this C code for fame and fun > *Date: 21 May 1996 10:49:37 -0400 > * And it is licensed also under GPL. > */ Looks pretty good to me. Alexander, What do you think ? Comments ? I will prepare a 3.8.6 package when it gets done and released upstream. -- pub 4096R/0E4BD0AB 2003-03-18 fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Fri, 7 Jul 2006, George Danchev wrote: ...[deleted] > Hello, Hello, ... > > I sincerely think that this code is mostly mine. > > > > Perhaps some i, j, s or p remains from the original, and obviously > > I'm not the creator of the rc4 algorithm. > > Very good. I do believe it is yours. What I wish to see in shc.c is the very > same words and explanations, that is, that the unknown-copyright > implementation has been re-implemented by you and the copyright notice applis > to it also. Since that appears to be true, it should be added there and get > the users aware of that very important detail from the legal POV. > > Right, we are not discussing algorithm itself (it has already been in various > free software packages), but its implementation in shc. > ... > I would add 'and is licensed also under GPL' or you think it is far too much > as clarification. No problem. Please, check the file: http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.6_shc.c.gz It contains the following message and the previous messages have been removed. Please, check the file an tell me if it is all right. /** * This software contains an ad hoc version of the 'Alleged RC4' algorithm, * which was anonymously posted on sci.crypt news by cypherpunks on Sep 1994. * * My implementation is a complete rewritten of the one found in * an unknown-copyright (283 characters) version picked up from: *From: [EMAIL PROTECTED] (John L. Allen) *Newsgroups: comp.lang.c *Subject: Shrink this C code for fame and fun *Date: 21 May 1996 10:49:37 -0400 * And it is licensed also under GPL. */ ... > > There is not a single byte of cypherpunk code in shc.c file. > > If so, I wish the truth to live in shc.c as a comment. I hope you find that > acceptable ? > > > If I have clarified it enough we can keep the actual > > implementation as is. Is it all right now? ... -- Saludos Fran - Francisco Rosales García <[EMAIL PROTECTED]> TEL: +34 91 336 73 80 http://www.datsi.fi.upm.es/~frosalFAX: +34 91 336 73 73 Departamento de Arquitectura y Tecnología de Sistemas Informáticos. Facultad de Informática. Universidad Politécnica de Madrid. España.
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Friday 07 July 2006 12:38, Francisco Rosales wrote:
-cut--
Hello,
> If the problem is about the copyright of the rc4 implementation,
> then you must know the full history.
>
> At some point in 1997 I decided to change from shc-2.7 to 3.0. The
> idea was to change totally the way the script is hidden inside the binary.
> I decide to use a very beautiful and tiny algorithm I seen published in
> the news:
> http://groups.google.com/group/comp.lang.c/msg/dce6ba2c5c8dd0d1
>
> As you can see following the previous link, the published
> implementation was 4 lines long (283 characters):
>
> #define S,t=s[i],s[i]=s[j],s[j]=t, /* :usage: rc4 key main(int c,char**v){unsigned char*p=*++v,s[256],b[4096],i=0,j=0,t;c=
> strlen(p);while(s[i]=i,++i);while(j+=s[i]+p[i%c]S++i);j=0;while(c=read
> (0,p=b,4096)){while(c--){j+=s[++i]S*p++^=s[t+=s[i]];}write(1,b,p-b);}}
>
>
> ...and came with the following invitation:
> " Anyone fancy having a go at shrinking this C code? ... "
>
> There was no copyright notice, but obviously there was an explicit
> invitation for everybody to take and to modify that code.
>
> I took the invitation, not for shrinking but for improving
> readability and usability. The resulting code, which is included in shc.c
> file and in any ".x.c" generated file is:
>
>
> static unsigned char stte[256], indx, jndx, kndx;
>
> /*
> * Reset arc4 stte.
> */
> void stte_0(void)
> {
> indx = jndx = kndx = 0;
> do {
> stte[indx] = indx;
> } while (++indx);
> }
>
> /*
> * Set key. Can be used more than once.
> */
> void key(void * str, int len)
> {
> unsigned char tmp, * ptr = (unsigned char *)str;
> while (len > 0) {
> do {
> tmp = stte[indx];
> kndx += tmp;
> kndx += ptr[(int)indx % len];
> stte[indx] = stte[kndx];
> stte[kndx] = tmp;
> } while (++indx);
> ptr += 256;
> len -= 256;
> }
> }
>
> /*
> * Crypt data.
> */
> void arc4(void * str, int len)
> {
> unsigned char tmp, * ptr = (unsigned char *)str;
> while (len > 0) {
> indx++;
> tmp = stte[indx];
> jndx += tmp;
> stte[indx] = stte[jndx];
> stte[jndx] = tmp;
> tmp += stte[indx];
> *ptr ^= stte[tmp];
> ptr++;
> len--;
> }
> }
>
>
>
> I sincerely think that this code is mostly mine.
>
> Perhaps some i, j, s or p remains from the original, and obviously
> I'm not the creator of the rc4 algorithm.
Very good. I do believe it is yours. What I wish to see in shc.c is the very
same words and explanations, that is, that the unknown-copyright
implementation has been re-implemented by you and the copyright notice applis
to it also. Since that appears to be true, it should be added there and get
the users aware of that very important detail from the legal POV.
Right, we are not discussing algorithm itself (it has already been in various
free software packages), but its implementation in shc.
> Is almost impossible for "John L. Allen" (wherever he is) to
> recognize that code as his code, and obviously his own (beautiful) 4 lines
> of code wasn't created from nothing, and he isn't the creator of the rc4
> algorithm neither.
>
> So... I sincerely think that this code is mostly mine.
> The disclaimer I put on top of shc.c,
>
> /**
> * This software contains the 'Alleged RC4' source code.
> * The original source code was published on the Net by a group of
> cypherpunks. * I picked up a modified version from the news.
> * The copyright notice does not apply to that code.
> */
>
>
> ...and the header of the rc4 implementation,
>
> /**
> * 'Alleged RC4' Source Code picked up from the news.
> * From: [EMAIL PROTECTED] (John L. Allen)
> * Newsgroups: comp.lang.c
> * Subject: Shrink this C code for fame and fun
> * Date: 21 May 1996 10:49:37 -0400
> */
>
>
> ...were there basically because:
>
> 1)In 1997 I was not sure what could happen if I distribute
> software
> using (any implementation of) the rc4 algorithm.
> I don't want the NSA of RSA people knock my door.
> 2)To state that somebody published an implementation before me.
> 3)To acknowledge that initial implementation.
>
>
>
> Today, and being stricter with what I write, both comments could
> be rewritten such as something similar to:
> /**
> * This software contains an ad hoc version of the 'Alleged RC4' algorithm.
> * The original source code was published on the Net by a group of
> cypherpunks. * A modified version was picked up from the news
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Wed, 5 Jul 2006, George Danchev wrote:
> Date: Wed, 05 Jul 2006 19:56:05 +0300
> From: George Danchev <[EMAIL PROTECTED]>
> To: Francisco Rosales <[EMAIL PROTECTED]>
> Cc: Alexander Schmehl <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
> [EMAIL PROTECTED]
> Subject: Re: shc -- #335278 broken packaging -- non-DD NMU prepared
>
>
> Well we start off with 3.7 because it is currently in Debian. The main problem
> is the rc4 implementation which has no copyright attached. That's the reason
> we started replacing it with a clean-room GPL'ed implementation and finally
> make the program licensed free and consistent. Otherwise it will be removed
> from the archive because of legal issues.
>
> For the time being as for 3.7 version with the new GPL'ed rc4 implementation I
> forced intentionally relax/redistributable binary to be created to overpass
> the above 'shell has changed'. I agree, it is far from being perfect.
>
> You can find more information at:
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335278
I see.
If the problem is about the copyright of the rc4 implementation,
then you must know the full history.
At some point in 1997 I decided to change from shc-2.7 to 3.0. The
idea was to change totally the way the script is hidden inside the binary.
I decide to use a very beautiful and tiny algorithm I seen published in
the news:
http://groups.google.com/group/comp.lang.c/msg/dce6ba2c5c8dd0d1
As you can see following the previous link, the published
implementation was 4 lines long (283 characters):
#define S,t=s[i],s[i]=s[j],s[j]=t, /* :usage: rc4 key >>>
static unsigned char stte[256], indx, jndx, kndx;
/*
* Reset arc4 stte.
*/
void stte_0(void)
{
indx = jndx = kndx = 0;
do {
stte[indx] = indx;
} while (++indx);
}
/*
* Set key. Can be used more than once.
*/
void key(void * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
do {
tmp = stte[indx];
kndx += tmp;
kndx += ptr[(int)indx % len];
stte[indx] = stte[kndx];
stte[kndx] = tmp;
} while (++indx);
ptr += 256;
len -= 256;
}
}
/*
* Crypt data.
*/
void arc4(void * str, int len)
{
unsigned char tmp, * ptr = (unsigned char *)str;
while (len > 0) {
indx++;
tmp = stte[indx];
jndx += tmp;
stte[indx] = stte[jndx];
stte[jndx] = tmp;
tmp += stte[indx];
*ptr ^= stte[tmp];
ptr++;
len--;
}
}
I sincerely think that this code is mostly mine.
Perhaps some i, j, s or p remains from the original, and obviously
I'm not the creator of the rc4 algorithm.
Is almost impossible for "John L. Allen" (wherever he is) to
recognize that code as his code, and obviously his own (beautiful) 4 lines
of code wasn't created from nothing, and he isn't the creator of the rc4
algorithm neither.
So... I sincerely think that this code is mostly mine.
The disclaimer I put on top of shc.c,
/**
* This software contains the 'Alleged RC4' source code.
* The original source code was published on the Net by a group of cypherpunks.
* I picked up a modified version from the news.
* The copyright notice does not apply to that code.
*/
...and the header of the rc4 implementation,
/**
* 'Alleged RC4' Source Code picked up from the news.
* From: [EMAIL PROTECTED] (John L. Allen)
* Newsgroups: comp.lang.c
* Subject: Shrink this C code for fame and fun
* Date: 21 May 1996 10:49:37 -0400
*/
...were there basically because:
1) In 1997 I was not sure what could happen if I distribute software
using (any implementation of) the rc4 algorithm.
I don't want the NSA of RSA people knock my door.
2) To state that somebody published an implementation before me.
3) To acknowledge that initial implementation.
Today, and being stricter with what I write, both comments could
be rewritten such as something similar to:
/**
* This software contains an ad hoc version of the 'Alleged RC4' algorithm.
* The original source code was published on the Net by a group of cypherpunks.
* A modified version was picked up from the news:
* From: [EMAIL PROTECTED] (John L. Allen)
* Newsgroups: comp.lang.c
* Subject: Shrink this C code for fame and fun
* Date: 21 May 1996 10:49:37 -0400
* The following implementation is a total rewritten based on the previous one.
*/
> > As you have seen, I have implemented the initialization stage with
> > two functions, not one (stte_0 and key). The reason is that I want to b
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Wednesday 05 July 2006 17:16, Francisco Rosales wrote:
Hello all,
> > Unfortunately I face a break with the new GPL'ed ARC4 implementation. The
> > patch for that implementation for shc 3.7 along with some rc4 tests is
> > found at:
>
> Please, do not use the shc 3.7 rc4 implementation. It has a
> problem. In rc4, the global jndx = 0; is reset to 0 for each chuck of data
> encrypted. It must not be done so, jndx = 0; must be set only at
> initialization (in state_0).
>
> This bug was fixed in shc 3.8.
Well we start off with 3.7 because it is currently in Debian. The main problem
is the rc4 implementation which has no copyright attached. That's the reason
we started replacing it with a clean-room GPL'ed implementation and finally
make the program licensed free and consistent. Otherwise it will be removed
from the archive because of legal issues.
For the time being as for 3.7 version with the new GPL'ed rc4 implementation I
forced intentionaly relax/redistributable binary to be created to overpass
the above 'shell has changed'. I agree, it is far from being perfect.
You can find more information at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=335278
> As you have seen, I have implemented the initialization stage with
> two functions, not one (stte_0 and key). The reason is that I want to be
> able to apply more than one password, using key fuction several times.
That was what puzzled me a lot in the first place, but seems is the right way
to go.
> /* 3.8.5 */
I failed to find 3.8.5 version at http://www.datsi.fi.upm.es/~frosal/sources/
and the rows listed below are not from the last version found 3.8.3.
>851 stte_0();
>852 key(pswd, pswd_z);
>...
>862 key(chk1, chk1_z);
>...
>867 if (indx && key_with_file(kwsh)) {
>...
>875 key(chk2, chk2_z);
>
> One stte_0 but four key calls. One is key_with_file which makes
> the rest of the encryption to depend on some signature of a given file.
> This is the reason of the message (and the method to detect)
> "shell has changed!".
>
> (( You cannot make the change:
> -" key(control, sizeof(control));",
> +" key(\"control\", sizeof(control));",
>because it changes totally the pretended behaviour ))
Oh, that is a forgotten temporal compiler shut-up which will be reverted. The
first arg of the key function should be changed to void *str, but I rather go
for const char *str as more safe one, which couse a little redesign though.
> In shc-3.8.3.diff your implementation of key do not remember the
> last index exchanged (kndx) and do not uses len to bound k[] indexing to
> its real length.
Well this comes as a consequence of the above misunderstanding. I have to look
more closely to that one.
> > http://crustytoothpaste.ath.cx/~bmc/files/free/crypto.pax.bz2
> >
> > I still need to resolve why strcmp(TEXT_chk2, chk2) is put there, which
> > succeeds causing the following break:
>
> As I have already stated, key_with_file (and the ability to use
> key _incrementally_ several times) permits to make the encryption
> dependent on some details of a given file. So the decryption of chk2
> will change if the signature of the given file changes, in other words
> if the "shell has changed!".
Hm, I'm a little bit confused by the message like "shell has changed", should
it be more straightforward ... 'signature has changed' or 'decryption
failed' ?
> Perhaps my implementation of arc4 is more add-hoc than yours, but,
> please, I see no reason to break the described behaviour.
I agree with you. OTOH, in the light of having bits with clear license only we
should replace the unknown-license cypherpunks code with a license-clear
implementation. I'll try to have a look and try to achieve what you describe
above. The best solution im my opinion will be a new upstream version of shc
with license-clear arc4 implementation.
--
pub 4096R/0E4BD0AB 2003-03-18
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
Hello folks,
On Tue, 4 Jul 2006, George Danchev wrote:
> Date: Tue, 04 Jul 2006 12:55:12 +0300
> From: George Danchev <[EMAIL PROTECTED]>
> To: Alexander Schmehl <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: Re: shc -- #335278 broken packaging -- non-DD NMU prepared
>
> On Saturday 01 July 2006 20:06, Alexander Schmehl wrote:
> > Hi!
> >
> > * George Danchev <[EMAIL PROTECTED]> [060701 15:20]:
> > > I hope that Alexander Schmehl is still willing to check it out and
> > > upload. Should anything still to be corrented I'm willing to do so. The
> > > new RC4 implementation is documented in debian/copyright, along with the
> > > match script as well (that were the points Alexnder raised in his last
> > > reviewing).
> >
> > Currently I'm on the road without my gpg-key, so I can't upload anythign
> > right now. I'll be back on Tuesday evening / wednesday morning will
> > check it then (if I don't forget it, might be a got idea to send me an
> > reminder ;)
>
> Unfortunately I face a break with the new GPL'ed ARC4 implementation. The
> patch for that implementation for shc 3.7 along with some rc4 tests is found
> at:
Please, do not use the shc 3.7 rc4 implementation. It has a
problem. In rc4, the global jndx = 0; is reset to 0 for each chuck of data
encrypted. It must not be done so, jndx = 0; must be set only at
initialization (in state_0).
This bug was fixed in shc 3.8.
As you have seen, I have implemented the initialization stage with
two functions, not one (stte_0 and key). The reason is that I want to be
able to apply more than one password, using key fuction several times.
/* 3.8.5 */
851 stte_0();
852 key(pswd, pswd_z);
...
862 key(chk1, chk1_z);
...
867 if (indx && key_with_file(kwsh)) {
...
875 key(chk2, chk2_z);
One stte_0 but four key calls. One is key_with_file which makes
the rest of the encryption to depend on some signature of a given file.
This is the reason of the message (and the method to detect)
"shell has changed!".
(( You cannot make the change:
-" key(control, sizeof(control));",
+" key(\"control\", sizeof(control));",
because it changes totally the pretended behaviour ))
In shc-3.8.3.diff your implementation of key do not remember the
last index exchanged (kndx) and do not uses len to bound k[] indexing to
its real length.
>
> http://crustytoothpaste.ath.cx/~bmc/files/free/crypto.pax.bz2
>
> I still need to resolve why strcmp(TEXT_chk2, chk2) is put there, which
> succeeds causing the following break:
As I have already stated, key_with_file (and the ability to use
key _incrementally_ several times) permits to make the encryption
dependent on some details of a given file. So the decryption of chk2
will change if the signature of the given file changes, in other words
if the "shell has changed!".
Perhaps my implementation of arc4 is more add-hoc than yours, but,
please, I see no reason to break the described behaviour.
Thanks.
>
> $ ./shc -f test.csh
> $ ./test.csh.x
> $ ./test.csh.x: No such file or directory: shell has changed!
>
> I attached a similar patch for shc 3.8.3, but the following occurs with the
> above test.csh test:
> $./test.csh.x
> $./test.csh.x: location has changed!
>
>
--
Saludos
Fran
-
Francisco Rosales García <[EMAIL PROTECTED]> TEL: +34 91 336 73 80
http://www.datsi.fi.upm.es/~frosalFAX: +34 91 336 73 73
Departamento de Arquitectura y Tecnología de Sistemas Informáticos.
Facultad de Informática. Universidad Politécnica de Madrid. España.
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Saturday 01 July 2006 20:06, Alexander Schmehl wrote:
> Hi!
>
> * George Danchev <[EMAIL PROTECTED]> [060701 15:20]:
> > I hope that Alexander Schmehl is still willing to check it out and
> > upload. Should anything still to be corrented I'm willing to do so. The
> > new RC4 implementation is documented in debian/copyright, along with the
> > match script as well (that were the points Alexnder raised in his last
> > reviewing).
>
> Currently I'm on the road without my gpg-key, so I can't upload anythign
> right now. I'll be back on Tuesday evening / wednesday morning will
> check it then (if I don't forget it, might be a got idea to send me an
> reminder ;)
Alexander,
I found a compromise fix for the above break as to force the resulting
binary
(that produced by shc) to be always redistributable. You can dget packages
from: ftp://ftp.logos-bg.net/debian-addons-bg/dists/unstable/shc/
--
pub 4096R/0E4BD0AB 2003-03-18
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
diff -Naur shc-3.8.3/shc.c shc-3.8.3.dfsg/shc.c
--- shc-3.8.3/shc.c 2005-06-28 22:28:52.0 +0300
+++ shc-3.8.3.dfsg/shc.c 2006-07-04 12:35:06.0 +0300
@@ -1,10 +1,27 @@
/* shc.c */
-/**
- * This software contains the 'Alleged RC4' source code.
- * The original source code was published on the Net by a group of cypherpunks.
- * I picked up a modified version from the news.
- * The copyright notice does not apply to that code.
+/*-
+ * This software contains a clean-room implementation of Alleged RC4 (ARC4).
+ * The following copyright notice and license apply only to that code.
+ *
+ * Copyright (c) 2006 Brian M. Carlson
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License, dated June
+ * 1991, with MD5 hash 8ca43cbc842c2336e835926c2166c28b.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to:
+ * Free Software Foundation, Inc.
+ * 51 Franklin St, Fifth Floor
+ * Boston, MA 02110-1301
+ * USA
*/
static const char my_name[] = "shc";
static const char version[] = "Version 3.8.3";
@@ -125,63 +142,85 @@
"#include ",
"#include ",
"#include ",
-"",
-"/**",
-" * 'Alleged RC4' Source Code picked up from the news.",
-" * From: [EMAIL PROTECTED] (John L. Allen)",
-" * Newsgroups: comp.lang.c",
-" * Subject: Shrink this C code for fame and fun",
-" * Date: 21 May 1996 10:49:37 -0400",
+"/*-",
+" * This software contains a clean-room implementation of Alleged RC4.",
+" * The following copyright notice and license apply only to that code.",
+" *",
+" * Copyright (c) 2006 Brian M. Carlson",
+" * ",
+" * This program is free software; you can redistribute it and/or modify",
+" * it under the terms of the GNU General Public License as published by",
+" * the Free Software Foundation; version 2 of the License, dated June",
+" * 1991, with MD5 hash 8ca43cbc842c2336e835926c2166c28b.",
+" * ",
+" * This program is distributed in the hope that it will be useful, but",
+" * WITHOUT ANY WARRANTY; without even the implied warranty of",
+" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU",
+" * General Public License for more details.",
+" * ",
+" * You should have received a copy of the GNU General Public License",
+" * along with this program; if not, write to:",
+" * Free Software Foundation, Inc.",
+" * 51 Franklin St, Fifth Floor",
+" * Boston, MA 02110-1301",
+" * USA",
+" *",
+" * In addition, as a special exception, you may deal in this software as",
+" * part of a program produced by shc (the shell script compiler) without",
+" * restriction.",
+" *",
+" * Note that people who make modified versions of this software are not",
+" * obligated to grant this special exception for their modified versions;",
+" * it is their choice whether to do so. The GNU General Public License",
+" * gives permission to release a modified version without this exception;",
+" * this exception also makes it possible to release a modified version",
+" * which carries forward this exception.",
" */",
"",
-"static unsigned char stte[256], indx, jndx, kndx;",
+"struct crypto_rc4_s",
+"{",
+" unsigned char s[256];",
+" unsigned char i;",
+" unsigned char j;",
+"} ctxo, *ctx=&ctxo;",
+"",
+"#define SWAP(x, y) do{unsigned char tmp;tmp=(x);(x)=(y);(y)=tmp;}while (0)",
"",
-"/*",
-" * Reset arc4 stte. ",
-" */",
"void stte_0(void)",
"{",
-" indx = jndx = kndx = 0;",
-" do {",
-" stte[indx] = indx;",
-" } while (++indx);",
+" int i;",
+"",
+" for (i=0; i<256; i++)",
+"
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Saturday 01 July 2006 20:06, Alexander Schmehl wrote:
> Hi!
>
> * George Danchev <[EMAIL PROTECTED]> [060701 15:20]:
> > I hope that Alexander Schmehl is still willing to check it out and
> > upload. Should anything still to be corrented I'm willing to do so. The
> > new RC4 implementation is documented in debian/copyright, along with the
> > match script as well (that were the points Alexnder raised in his last
> > reviewing).
>
> Currently I'm on the road without my gpg-key, so I can't upload anythign
> right now. I'll be back on Tuesday evening / wednesday morning will
> check it then (if I don't forget it, might be a got idea to send me an
> reminder ;)
Unfortunately I face a break with the new GPL'ed ARC4 implementation. The
patch for that implementation for shc 3.7 along with some rc4 tests is found
at:
http://crustytoothpaste.ath.cx/~bmc/files/free/crypto.pax.bz2
I still need to resolve why strcmp(TEXT_chk2, chk2) is put there, which
succeeds causing the following break:
$ ./shc -f test.csh
$ ./test.csh.x
$ ./test.csh.x: No such file or directory: shell has changed!
I attached a similar patch for shc 3.8.3, but the following occurs with the
above test.csh test:
$./test.csh.x
$./test.csh.x: location has changed!
--
pub 4096R/0E4BD0AB 2003-03-18
fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
diff -Naur shc-3.8.3/shc.c shc-3.8.3.dfsg/shc.c
--- shc-3.8.3/shc.c 2005-06-28 22:28:52.0 +0300
+++ shc-3.8.3.dfsg/shc.c 2006-07-04 12:35:06.0 +0300
@@ -1,10 +1,27 @@
/* shc.c */
-/**
- * This software contains the 'Alleged RC4' source code.
- * The original source code was published on the Net by a group of cypherpunks.
- * I picked up a modified version from the news.
- * The copyright notice does not apply to that code.
+/*-
+ * This software contains a clean-room implementation of Alleged RC4 (ARC4).
+ * The following copyright notice and license apply only to that code.
+ *
+ * Copyright (c) 2006 Brian M. Carlson
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License, dated June
+ * 1991, with MD5 hash 8ca43cbc842c2336e835926c2166c28b.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to:
+ * Free Software Foundation, Inc.
+ * 51 Franklin St, Fifth Floor
+ * Boston, MA 02110-1301
+ * USA
*/
static const char my_name[] = "shc";
static const char version[] = "Version 3.8.3";
@@ -125,63 +142,85 @@
"#include ",
"#include ",
"#include ",
-"",
-"/**",
-" * 'Alleged RC4' Source Code picked up from the news.",
-" * From: [EMAIL PROTECTED] (John L. Allen)",
-" * Newsgroups: comp.lang.c",
-" * Subject: Shrink this C code for fame and fun",
-" * Date: 21 May 1996 10:49:37 -0400",
+"/*-",
+" * This software contains a clean-room implementation of Alleged RC4.",
+" * The following copyright notice and license apply only to that code.",
+" *",
+" * Copyright (c) 2006 Brian M. Carlson",
+" * ",
+" * This program is free software; you can redistribute it and/or modify",
+" * it under the terms of the GNU General Public License as published by",
+" * the Free Software Foundation; version 2 of the License, dated June",
+" * 1991, with MD5 hash 8ca43cbc842c2336e835926c2166c28b.",
+" * ",
+" * This program is distributed in the hope that it will be useful, but",
+" * WITHOUT ANY WARRANTY; without even the implied warranty of",
+" * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU",
+" * General Public License for more details.",
+" * ",
+" * You should have received a copy of the GNU General Public License",
+" * along with this program; if not, write to:",
+" * Free Software Foundation, Inc.",
+" * 51 Franklin St, Fifth Floor",
+" * Boston, MA 02110-1301",
+" * USA",
+" *",
+" * In addition, as a special exception, you may deal in this software as",
+" * part of a program produced by shc (the shell script compiler) without",
+" * restriction.",
+" *",
+" * Note that people who make modified versions of this software are not",
+" * obligated to grant this special exception for their modified versions;",
+" * it is their choice whether to do so. The GNU General Public License",
+" * gives permission to release a modified version without this exception;",
+" * this exception also makes it possible to release a modified version",
+" * which carries forward this exception.",
" */",
"",
-"static unsigned char stte[256], indx, jndx, kndx;",
+"struct crypto_rc4_s",
+"{",
+" unsigned char s[256];",
+" unsigned char i;",
+" unsigned char j;",
+"} ct
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
George Danchev <[EMAIL PROTECTED]> wrote: > On Thursday 29 June 2006 01:10, [EMAIL PROTECTED] wrote: > > On Wed, Jun 28, 2006 at 12:58:59AM +0200, Alexander Schmehl wrote: > > > /** > > > * 'Alleged RC4' Source Code picked up from the news." > > > * From: [EMAIL PROTECTED] (John L. Allen)" > > > * Newsgroups: comp.lang.c" > > > * Subject: Shrink this C code for fame and fun" > > > * Date: 21 May 1996 10:49:37 -0400" > > > */ > > > > I think it should be easy to replace that code by a DFSG-free > > implementation of RC4. Openssl include one. > > I'm afraid that I can not use OpenSSL licensed code into GPL program (shc) > without a special OpenSSL exception given from the shc's upstream, which > unfortunately did not respond to any mail sent yet. Also I'm a litle bit > scared to reimplement that myself - I might introduce hell of bugs at > least ;-) ... deviating from upstream for the matter of that is not a good > idea also. libgcrypt also has an RC4 implementation. Cheers, Walter Landry [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Thursday 29 June 2006 01:10, [EMAIL PROTECTED] wrote: > On Wed, Jun 28, 2006 at 12:58:59AM +0200, Alexander Schmehl wrote: > > [ Cc-ing the bug report, so we have it in the bts, too ] > > > > Hi! > > > > - Now the real problem: shc.c > > > > Lookit at it we have: > > > > /** > > * This software contains the 'Alleged RC4' source code. > > * The original source code was published on the Net by a group of > > cypherpunks. * I picked up a modified version from the news. > > * The copyright notice does not apply to that code. > > */ > > As far as I remember, the general belief is that 'Alleged RC4' was in > fact leaked intentionnaly by RSA inc. itself (which designed RC4). So > much for the group of cypherpunks. Right, ARC4 algorythm is also used in ssh. So the algorythm itself is not a problem. > > /** > > * 'Alleged RC4' Source Code picked up from the news." > > * From: [EMAIL PROTECTED] (John L. Allen)" > > * Newsgroups: comp.lang.c" > > * Subject: Shrink this C code for fame and fun" > > * Date: 21 May 1996 10:49:37 -0400" > > */ > > I think it should be easy to replace that code by a DFSG-free > implementation of RC4. Openssl include one. I'm afraid that I can not use OpenSSL licensed code into GPL program (shc) without a special OpenSSL exception given from the shc's upstream, which unfortunately did not respond to any mail sent yet. Also I'm a litle bit scared to reimplement that myself - I might introduce hell of bugs at least ;-) ... deviating from upstream for the matter of that is not a good idea also. -- pub 4096R/0E4BD0AB 2003-03-18 fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Wed, Jun 28, 2006 at 12:58:59AM +0200, Alexander Schmehl wrote: > [ Cc-ing the bug report, so we have it in the bts, too ] > > Hi! > > - Now the real problem: shc.c > > Lookit at it we have: > > /** > * This software contains the 'Alleged RC4' source code. > * The original source code was published on the Net by a group of > cypherpunks. > * I picked up a modified version from the news. > * The copyright notice does not apply to that code. > */ As far as I remember, the general belief is that 'Alleged RC4' was in fact leaked intentionnaly by RSA inc. itself (which designed RC4). So much for the group of cypherpunks. > /** > * 'Alleged RC4' Source Code picked up from the news." > * From: [EMAIL PROTECTED] (John L. Allen)" > * Newsgroups: comp.lang.c" > * Subject: Shrink this C code for fame and fun" > * Date: 21 May 1996 10:49:37 -0400" > */ I think it should be easy to replace that code by a DFSG-free implementation of RC4. Openssl include one. Cheers, -- Bill. <[EMAIL PROTECTED]> Imagine a large red swirl here. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
* Alexander Schmehl <[EMAIL PROTECTED]> [060628 00:59]: > - According to the header, the script "match" was [EMAIL PROTECTED] > It has no explicit license, but is so easy and short, that I don't > think one could claim copyright for that (the german word for that > would be "Sch?pfungsh?he"). If you are mentioning German terms, note that the German UrHG has special rules for computer programs, especially ?69a(3) is AFAIK interpreted that no "Sch?pfungsh?he" is necessary for computer programs. Hochachtungsvoll, Bernhard R. Link -- Sendmail is like emacs: A nice operating system, but missing an editor and a MTA. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
On Wednesday 28 June 2006 01:58, Alexander Schmehl wrote: > Let's start with something simple: > - According to the header, the script "match" was [EMAIL PROTECTED] > It has no explicit license, but is so easy and short, that I don't > think one could claim copyright for that (the german word for that > would be "Schöpfungshöhe"). I don't think the missing license of that > script is a problem, but the author should be mentioned in the > copyright file. Done. > - Now the real problem: shc.c > > Lookit at it we have: > > /** > * This software contains the 'Alleged RC4' source code. > * The original source code was published on the Net by a group of > cypherpunks. * I picked up a modified version from the news. > * The copyright notice does not apply to that code. > */ > > and: > > /** > * 'Alleged RC4' Source Code picked up from the news." > * From: [EMAIL PROTECTED] (John L. Allen)" > * Newsgroups: comp.lang.c" > * Subject: Shrink this C code for fame and fun" > * Date: 21 May 1996 10:49:37 -0400" > */ > > This post can be found at [1]. > > > Well... no license for this code, no implicit or explicit grant of any > rights... not even an "make whatever you want with this code". I don't > think we can distribute this, and I don't think this bug is fixed yet ;) > > You mentioned you allready mailed upstream, but has anyone tried to > contact the original poster of that code? Ask him, if he put his code > to public domain when posting it to that newsgroup or if he could > license it under GPL. That would the solve the problem and everything > would be fine. Seems that Northrop Grumman's corporate mail server does not remember the guy in question: - Transcript of session follows - ... while talking to gateway.grumman.com.: >>> DATA <<< 550 5.0.0 <[EMAIL PROTECTED]>... We do not accept mail from spammers. 550 5.1.1 <[EMAIL PROTECTED]>... User unknown <<< 503 5.0.0 Need RCPT (recipient) Now what ... wait for 20 (?) years in hope that nobody will claim a copyright for that piece of code so that we can have it in PD ? -- pub 4096R/0E4BD0AB 2003-03-18 fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB
Bug#335278: shc -- #335278 broken packaging -- non-DD NMU prepared
[ Cc-ing the bug report, so we have it in the bts, too ] Hi! * George Danchev <[EMAIL PROTECTED]> [060627 21:21]: > > points mentioned in franks original bug report: > > > 1.2 debian/copyright: "This package has many utilities that are GPL > > > or close to GPL code." "close to GPL"??? > > > "The original source code was published on the Net by a group of > > > cypherpunks. I picked up a modified version from the news." > > > Quite a license... > Unfortunately this is out of my control. I've sent two emails to the upstream > (as well as CC'ed maintainer) asking for these legal issues to be clarified > somehow in a reasonable way, but no any feedback as of yet... for more than > month or so. I took a look at it. Let's start with something simple: - According to the header, the script "match" was [EMAIL PROTECTED] It has no explicit license, but is so easy and short, that I don't think one could claim copyright for that (the german word for that would be "Schöpfungshöhe"). I don't think the missing license of that script is a problem, but the author should be mentioned in the copyright file. - Now the real problem: shc.c Lookit at it we have: /** * This software contains the 'Alleged RC4' source code. * The original source code was published on the Net by a group of cypherpunks. * I picked up a modified version from the news. * The copyright notice does not apply to that code. */ and: /** * 'Alleged RC4' Source Code picked up from the news." * From: [EMAIL PROTECTED] (John L. Allen)" * Newsgroups: comp.lang.c" * Subject: Shrink this C code for fame and fun" * Date: 21 May 1996 10:49:37 -0400" */ This post can be found at [1]. Well... no license for this code, no implicit or explicit grant of any rights... not even an "make whatever you want with this code". I don't think we can distribute this, and I don't think this bug is fixed yet ;) You mentioned you allready mailed upstream, but has anyone tried to contact the original poster of that code? Ask him, if he put his code to public domain when posting it to that newsgroup or if he could license it under GPL. That would the solve the problem and everything would be fine. Links: 1: http://groups.google.de/group/comp.lang.c/browse_thread/thread/515617a2156da21e/d177a8bf6b984e27?lnk=st&q=Shrink+this+C+code+for+fame+and+fun+comp.lang.c&rnum=1#d177a8bf6b984e27 Yours sincerely, Alexander -- http://www.netmeister.org/news/learn2quote.html http://www.catb.org/~esr/faqs/smart-questions.html signature.asc Description: Digital signature
