Mercurial Mercurial > pub > hg > cubicweb / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
debian/copyright
author Laurent Peuch <cortex@worlddomination.be>
Fri, 12 Apr 2019 12:31:14 +0200
changeset 12584 6eba53763482
parent 11631 faf279e33298
permissions -rw-r--r--
Use secure hash algorithm in WebConfiguration.sign_text Fix: PendingDeprecationWarning: HMAC() without an explicit digestmod argument is deprecated. The default hash algorithm used by hmac.new is md5. As of today, md5 is so weak that it's the equivalent of plaintext and can't be considered to be secured at all. Therefor, we switch to a secure hash algorithm. The rational for choosing sha3_512 is: * the recommended algorithm is at least sha_256 * the stronger, the more secured and sha3_512 is the stronger available * thinking about the future this should keep this part of the code safe long enough before people think about checking it again You can read more about choosing a secure hash algorithm in the NIST recommendations https://csrc.nist.gov/Projects/Hash-Functions/NIST-Policy-on-Hash-Functions This code modification should normally be transparent since check_text_sign is exactly this code 'self.sign_text(text) == signature' and that sign_text is only used in combination with it. The only impact is that the hash is going to move from 32 char to 128 which might make html page a bit bigger and that sha3_512 is slow to compute (which is a good thing for security)

This package was debianized by Logilab <contact@logilab.fr>.
It was downloaded from http://download.logilab.org/pub/cubicweb


Upstream Author:

    Logilab <contact@logilab.fr>
    Christophe de Vienne

Copyright:

    Copyright (c) 2003-2014 LOGILAB S.A. (Paris, FRANCE).
    http://www.logilab.fr/ -- mailto:contact@logilab.fr
    Copyright (c) 2014 Unlish

License:

    This program is free software; you can redistribute it and/or modify it
    under the terms of the GNU Lesser General Public License as published by the
    Free Software Foundation; either version 2.1 of the License, or (at your
    option) any later version.

    This program is distributed in the hope that it will be useful, but WITHOUT
    ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
    FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License
    for more details.

    You should have received a copy of the GNU Lessser General Public License
    along with this program; if not, write to the Free Software Foundation,
    Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.

On Debian systems, the complete text of the GNU Lesser General Public License
may be found in '/usr/share/common-licenses/LGPL-2.1'.

Entypo pictograms:

Author:

    Daniel Bruce <info@entypo.com> (www.entypo.com)

Licence:

    Entypo pictograms are licensed under CC BY-SA 3.0 and the font
    under SIL Open Font License.

    The rights to each pictogram in the social extension are either
    trademarked or copyrighted by the respective company.
cubicweb