[Users] Fwd: Deprecate libcrypt and don't build it by default.

Michael Schwendt bugs.michael at gmx.net
Tue Mar 13 14:18:26 CET 2018


On Thu, 1 Feb 2018 11:43:36 +0100, Andrej Kacian wrote:

> > The following has been causing some disturbance recently:
> > 
> > | Deprecate libcrypt and don't build it by default.
> > | https://sourceware.org/ml/libc-alpha/2017-08/msg01257.html
> > 
> > | The function prototypes for crypt and encrypt are removed from
> > | unistd.h, and the function prototype for setkey is removed from
> > | stdlib.h; they do *not* come back with --enable-obsolete-crypt.
> > 
> > Claws Mail still contains compatibility code to decrypt old passwords
> > which the user has not changed. As I understand it, Claws Mail does
> > not re-encrypt those old passwords automatically, because it would not
> > add security before the user would set a customized Master Password
> > (a feature since 3.14.0).
> > 
> > Are there any plans with regard to this?  
> 
> There are no plans as of yet. The idea was that the old-style passwords
> would eventually disappear, one by one, from users' configurations, and
> the compatibility code will be removed many, many years from now.
> 
> I guess we could look at adding our own
> --disable-obsolete-password-encryption configure option sometimes.

Some time has passed by without changing the fundamental problem.
Therefore I've refreshed the topic at Fedora. From a few alternative APIs
for DES, which may be used as a replacement, the Nettle library has been
pointed at because it's used by GnuTLS already anyway. Here's a brief
version of the patch that simulates encrypt() with Nettle as to decode
old passwords in Claws Mail:

https://mschwendt.fedorapeople.org/claws-mail-3.16.0-encrypt-nettle.diff



More information about the Users mailing list