Sshlib?
Andrew Bennetts
andrew-pythonlist at puzzling.org
Mon May 26 07:30:39 EDT 2003
On Mon, May 26, 2003 at 11:39:11AM +0200, Hartmut Goebel wrote:
> selwyn schrieb:
> >twisted also has an ssh component.
>
> I don't trust this implementation -- just since I'm some kind of
> conservative regarding security issues. Is implementation is very young
> and may not be thorowly(sp?) tested; it may (or may not) contain
> security wholes and is not yet widely used. Thus the chance to have an
> security whole within this implementaion is quite big.
This is all true. Twisted Conch has not been thoroughly audited, so caution
is definitely advised.
On the other hand, being implemented in pure Python (except the PyCrypto
library it depends on for some things), it is also inherently less
susceptible to some kinds of vulnerability (i.e. buffer-overrun,
double-free, format string, and so on...).
In general, I feel uncomfortable relying upon any large quantity of code
written in C. I also feel uncomfortable relying upon relatively young and
unexamined code (even if that implementation has less than 5000 lines of
code).
It's a tough choice... :(
-Andrew.
More information about the Python-list
mailing list