Skip Menu |

This queue is for tickets about the Digest-SHA CPAN distribution.

Report information
The Basics
Id: 87878
Status: rejected
Worked: 15 min
Priority: 0/
Queue: Digest-SHA
People
Owner: Nobody in particular
Requestors: MITHALDU [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Aug 15 11:11:58 2013 MITHALDU [...] cpan.org - Ticket created
Subject: Digest::SHA documentation does not discuss differences between itself and Digest::SHA1
I found out today that this module exists, by way of Debian deprecating Digest::SHA1. However skimming the documentation of both modules i find no definitive qualitative analysis of the modules in comparison to each other, be it claims to performance, security or simply ease of use beyond the fact that ::SHA provides other implementations of the algorithm(?). As someone who is not well versed in hashing algorithms this leaves me in the uncomfortable situation of having two options between whom i cannot easily make an informed choice. Could you add a discussion of the differences and reasons for making this module, and if appropiate, maybe contact Gisle Aas to add a deprecation notice to his module?
  Fri Aug 16 08:04:44 2013 mshelor [...] cpan.org - Correspondence added 15 min
Thank you for your interest in the Digest::SHA module, and for taking the time to suggest improvements in the documentation. Please know that I take your suggestions seriously, and do not dismiss them lightly. The Digest::SHA module has resided in the Perl core since version 5.9.3. This fact alone makes it the more natural choice for computing SHA digests, since it's not necessary to install modules from CPAN. Digest::SHA1 is a legacy module that's still around because so much old software uses it. However, NIST no longer recommends the use of SHA1, and instead advises the adoption of the SHA2 algorithms, all of which are supported by the Digest::SHA module. All of this information currently resides in the Digest::SHA pod. And that pod is already quite large and getting more difficult to navigate. Any further documentation would also have the effect of weighing down Perl, since it too resides in the core. Note also that Gisle warns of the SHA1 security flaws in his DESCRIPTION section and points to the Digest::SHA module for the stronger algorithms. And even his own Digest module defaults to Digest::SHA over Digest::SHA1 when computing SHA1 digests. This has now been standard practice for quite a while. However, deprecating Digest::SHA1 might be a bit too extreme given the number of old modules and applications still in use that depend on it.
  Fri Aug 16 08:04:44 2013 The RT System itself - Status changed from 'new' to 'open'
  Fri Aug 16 08:04:45 2013 mshelor [...] cpan.org - Status changed from 'open' to 'rejected'