What dependencies are tolerated for rsync ?

[Simo Sorce]

Dear list,
I have had some requests, for some time now, to develop a patch to make
it possible to use a better hashing algorithm than md5 (or md4) in rsync
(even more so after the recent md5 collision attack on Certificate
authorities).
Aside the fact that this will require a new protocol version one of the
requests I had is to use a FIPS certified library and not code up, yet
again, our own version of the algorithm.

There are a few libraries that can accomplish that that are certified
like NSS or may soon be like libgcrypt.

The advantage of using a library is that these libraries provide an easy
way to add new hashing/encryption algorithms (and remove/deprecate old
insecure ones along the way).

Before I start thinking about a way to add a hashing algorithm
negotiation sub-protocol or anything like that, or even just a specific
new hash algorithm like sha256 I was wondering if there is any opinion
or guideline on acceptable dependencies for rsync ?

Would it be ok to require one of these libraries ? Would it be ok if
they were optional ? (By ok I mean the patch would at some point be
accepted in the main code).
With fallback to the current md5 algorithm only if they are not linked
in ?

cheers,
Simo.
 
-- 
Simo Sorce * Red Hat, Inc * New York