1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
Shared library conversion
-------------------------
As explained in the unpatched README.md, upstream intends zxcvbn-c to
be embedded in the source trees of projects that require it. For the
purposes of this Debian package, though, it is compiled as a shared
library and as a static library.
The word lists, *.txt in the source package, may be either
(a) compiled to a file zxcvbn.dict, or
(b) included in the object compiled from zxcvbn.c (in our case, in
libzxcvbn.so.* & libzxcvbn.a).
This choice is made by means of the USE_DICT_FILE compiler macro.
Contrary to what you might expect, method (a) does not permit swapping
out zxcvbn.dict for a different file: CRCs for zxcvbn.dict are
compiled into the object compiled from zxcvbn.c (in our case, in
libzxcvbn.so.0 & libzxcvbn.a).
So method (a) is useless when zxcvbn-c is compiled as a shared or
static library. Further, it complicates usage: a library user must
call ZxcvbnInit() with the path to the immutable zxcvbn.dict, and
later ZxcvbnUninit().
Given the above facts about option (a), I have opted to use option (b)
for this Debian package. USE_DICT_FILE is unset. Calls to
ZxcvbnInit() and ZxcvbnUninit() are not required, and README.md has
been patched accordingly.
debian/missing-sources & debian/upstream/scripts
------------------------------------------------
words-female.txt, words-male.txt and words-surname.txt are not in
their preferred format for modification. The raw US census data, and
the script to produce the words-*.txt files, have been included in the
debian/missing-sources directory.
Some of the other words-*.txt files were generated by scripts from
HTML dumps of Wikipedia and Wiktionary articles. If someone wanted to
modify these word lists, it would be appropriate to modify the
words-*.txt files directly, rather than those HTML dumps.
Consequently, the HTML files have not been included.
In case they are useful to someone, a copy of the scripts have been
included in debian/upstream/scripts. A separate directory has been
used to indicate that these scripts have not been included in order to
satisfy DFSG.
DFSG repacking
--------------
In the 2.0 release of zxcvbn-c, upstream replaced words-10k-pass.txt
with words-passwd.txt. Both files are based on password lists
produced by Mark Burnett. words-passwd.txt is a list of the 47023
most frequently-occurring passwords in a list of ten million
passwords. The list of ten million passwords was released by Burnett
as an update to his original list of ten thousand passwords.
While Burnett released words-10k-pass.txt under CC-BY-SA-3.0, his
release of ten million passwords came with the following disclaimer:
BY DOWNLOADING THIS AUTHENTICATION DATA YOU AGREE NOT TO USE IT IN
ANY MANNER WHICH IS UNLAWFUL, ILLEGAL, FRAUDULENT OR HARMFUL, OR
IN CONNECTION WITH ANY UNLAWFUL, ILLEGAL, FRAUDULENT OR HARMFUL
PURPOSE OR ACTIVITY INCLUDING BUT NOT LIMITED TO FRAUD, IDENTITY
THEFT, OR UNAUTHORIZED COMPUTER SYSTEM ACCESS. THIS DATA IS ONLY
MADE AVAILABLE FOR ACADEMIC AND RESEARCH PURPOSES.
This violates (at least) DFSG clause 6. In repacking the upstream
source, I have replaced words-passwd.txt with the old
words-10k-pass.txt, and updated the makefile and test suite expected
values accordingly.
-- Sean Whitton <spwhitton@spwhitton.name>, Tue, 29 Nov 2016 16:40:19 -0700
|
