[solar@openwall.com: Re: Upload of john 1.7 to experimental]

Javier Fernández-Sanguino Peña jfs at computer.org
Mon Feb 20 16:55:49 UTC 2006 

Sd messages don't go through...

----- Forwarded message from Solar Designer <solar at openwall.com> -----

From: Solar Designer <solar at openwall.com>
Date: Mon, 20 Feb 2006 02:56:16 +0300
To: pkg-john-devel at lists.alioth.debian.org
Cc: jfs at computer.org
Subject: Re: Upload of john 1.7 to experimental
User-Agent: Mutt/1.4.2.1i

On Sun, Feb 19, 2006 at 02:17:18PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> > > Hi guys, I know I've not been active with John for a while so, to make
> > > ammends, I have uploaded a working version of 1.7 to experimental based on
> > > the latest John packages in unstable. This version uses the new 'system-wide'
> > > functions of John and patches have been reduced.

> On Fri, Feb 17, 2006 at 11:34:52PM +0300, Solar Designer wrote:
> > Where can I have a look at it?  (I am not a Debian user.)
> 
> It's available at ftp://ftp.debian.org/debian/pool/main/j/john/
> and mirrors worlwide.

Thanks.  I just had a look.  To me, this looks like a lot of questionable
stuff added on top of John 1.7.  Surely, I would advice Debian users to
use the official 1.7 release instead of the Debian package to avoid any
confusion with the cron jobs, etc.

I'll comment on a few specific things, though:

+if grep -q '^flags.* mmx' /proc/cpuinfo; then
+    exec -a $MYNAME /usr/lib/john/john-mmx $*
+else
+    exec -a $MYNAME /usr/lib/john/john-any $*
+fi

I think this wrapper should be dropped in favor of the runtime fallback
feature that John 1.7 implements itself.  For an example of that feature
in use, see:

http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/john/john.spec?rev=HEAD

+-linux-alpha:
++linux-alpha: alpha.h

+-linux-alpha-ccc:
++linux-alpha-ccc: alpha.h

I don't think there's any need for that, and for doing it for alpha only.

+++ john-1.7/debian/patches/amd64.diff

What are these changes for?  If something didn't build otherwise or if
there were compiler warnings, I'd appreciate a proper bug report.
Otherwise, please drop this patch.

+ Q: Where do I get wordlists for use with John?
+ A: http://www.openwall.com/wordlists/
++A: You can also find some at:
++    ftp://ftp.zedz.net/pub/crypto/wordlists/
++    ftp://ftp.cerias.purdue.edu/pub/dict/
++    ftp://ftp.ox.ac.uk/pub/wordlists/

This is up to you, but I intentionally did not include those references
in the official FAQ, and that's not only to bump up my CD sales. ;-)
The Openwall wordlists collection - including the free downloadable
version - includes _all_ of the wordlists found in the ox.ac.uk
collection (and a lot more) rolled into the processed wordlist files.

zedz.net and the CERIAS archive are just copies of the ox.ac.uk
collection (I think zedz had the files uncompressed, though).

+++ john-1.7/debian/patches/amd64.diff.old

Drop it?

+++ john-1.7/debian/man/john.8

This man page is a little bit oudated.  Some options have been renamed
(e.g., 1.7 uses --wordlist instead of --wordfile) and the GNU-style
syntax is now preferred (--option=VALUE instead of -option:VALUE).

Also, I suggest that you obfuscate all e-mail addresses in man pages.
This stuff gets on the web, attracting more spam to people.  s/@/ at /
for e-mail addresses would do for now.  That's what we're doing in Owl.
Does the Debian policy permit that?  I hope so; if not, it needs to be
fixed.

+++ john-1.7/debian/docs

This does not list all of the docs.  In particular, it misses CHANGES
and CONTACT.  I understand that you may want to omit INSTALL and LICENSE.

+# TODO add support for other architectures, like amd64

Yes, this should be done, and also the MMX build with runtime fallback
should be done on i386.

> > > I have tested it only
> > > minimally (against local files) and some things need to be fixed (MMX
> > > binaries for i386 will not compile). 
> > 
> > Is this something I could help with?  I'd be interested in seeing the
> > compiler error messages you're getting.
> 
> I haven't investigated it yet, it seems related to the patches in the Debian
> package (because the unpatched sources build fine) so I still have check out
> what happened. I will keep you guys informed.

I've just tried building for linux-x86-mmx with the Debian patches
applied - and the package built, albeit with one added warning (because
of a bug in a Debian patch).  But I did that on an Owl system.

Thanks again,

-- 
/sd

----- End forwarded message -----

More information about the Pkg-john-devel mailing list