Re: svn commit: r29575 - /dev/httpd/ /release/httpd/
On 09/21/2018 12:27 PM, William A Rowe Jr wrote:
You may want to use this opportunity to drop md5 and sha1 hashes, you
will be yelled at by ops when you attempt to publish new instances of
these obsoleted hashes.
In the apr release case, the announce was modded through anyways, but a
subsequent thread on dev@apr determined that only sha256 is both useful
Adding a sha512 undermines our direction to users to rely on the asc pgp
Even on very stale OS's without sha256 in their tool chain, they likely
have openssl 0.9.8 or later with sha256 support.
I can tell you that I have seen unpatched barely maintained Solaris 10
servers in the wild. Chugging along. Sadly. Those things have :
# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004 (+ security fixes for: ... long list here )
Sure enough .. no sha512 there nor even sha256. Or much in fact.
However anything with a recent set of security updates :
jupiter # /usr/bin/openssl version
OpenSSL 1.0.2n 7 Dec 2017
Anything hugged by me :
# /usr/local/bin/openssl version
OpenSSL 1.1.1 11 Sep 2018
At least three flavours of OpenSSL may exist and that includes the lib
madness and RPATH fun therein. Stale may be a measure of "maintained".