[Cryptography-dev] Bundling OpenSSL

Donald Stufft donald at stufft.io
Tue Oct 8 00:21:52 CEST 2013 

On Oct 7, 2013, at 5:56 PM, Zooko Wilcox-OHearn <zooko at leastauthority.com> wrote:

> [in response to
> https://mail.python.org/pipermail/cryptography-dev/2013-October/000091.html
> ]
> 
>> 1 Do we want to bundle a backing library to ensure that there is always a minimal level of support?
> 
> We've found it necessary to do this in pycryptopp, even though it
> means we support both the bundled and non-bundled builds.
> 
>> 2 Do we want to bundle OpenSSL or is there another backing library that we'd want to bundle? (Easier to build, more portable etc?)
> 
> I personally wouldn't recommend OpenSSL, because its source code is a
> mess and it has a bad reputation among cryptographers who've looked at
> it (by which I mean Matt Green).

We'll support being backed by OpenSSL either way, exarkun wants to use
our bindings to power that. This library is going to support multiple
backing libs so someone could choose to use Crypto++ over OpenSSL
if they desired.

The question I guess becomes what features do we consider a minimum
as that will drive a lot of the decision making as to what library (if any) we
bundle as the "well we'll know for sure we have this available".

> 
> When we faced this decision in 1999, and then when we faced it again
> in 2006, we chose, both times, Crypto++. This has worked out
> acceptably well for us, and I'm not eager to move pycryptopp from
> Crypto++ to anything else, since the current thing is working, and
> changing it would be a pain, and would introduce risk of
> bugs/vulns/regressions.
> 
> I would love to share code, and hard-earned experience, and mutual
> support between the pyca and pycryptopp projects! So please feel free
> to copy what we do.
> 
> If I were starting over again today I would probably choose Botan over
> Crypto++, because Botan is more actively developed nowadays, and
> because its primary author and maintainer has provided some Python
> wrappers.
> 
> If you are going to go with OpenSSL, you should of course try to
> benefit from the work that has gone into pyOpenSSL. That includes some
> work for bundling a copy of the OpenSSL libs into the resulting
> pyOpenSSL distributions.
> 
> Regards,
> 
> Zooko Wilcox-O'Hearn
> 
> Founder, CEO, and Customer Support Rep
> https://LeastAuthority.com
> Freedom matters.
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/cryptography-dev/attachments/20131007/225bb742/attachment.sig>

More information about the Cryptography-dev mailing list