[issue8998] add crypto routines to stdlib
report at bugs.python.org
Tue Jun 29 20:25:14 CEST 2010
Marc-Andre Lemburg <mal at egenix.com> added the comment:
Antoine Pitrou wrote:
> Antoine Pitrou <pitrou at free.fr> added the comment:
>> If we are to require OpenSSL or some other crypto lib,
> We already depend on OpenSSL for both hashlib and ssl, this proposal
> wouldn't change anything in this regard.
hashlib can still works without OpenSSL and hash algorithms don't
fall under crypto laws. ssl doesn't work without OpenSSL, but also
doesn't require adding any crypto code to the stdlib.
The main point that needs to be addressed is shipping Python
with crypto code. If OpenSSL is optionally used, we're fine,
but if we start shipping crypto code, things are more contrived.
See http://rechten.uvt.nl/koops/cryptolaw/ for a survey.
We're hosting the Python software on servers in The Netherlands,
so have to follow the Wassenaar Arrangement if we include
crypto code. Fortunately, that agreement includes a clause which
pretty much exempts open source crypto code from export regulations.
However, users of Python downloading installers with crypto software
would import and use it in their resp. countries and that may get
them into trouble, so they need to be warned if we decide to
ship crypto code with Python.
They way I understand Geremy's suggestion is to just include a
wrapper for OpenSSL, so that's fine. The PEP should include a
mention of the above to argue against putting e.g. pycrypto
into the stdlib (not because it's poor software, much to the
contrary, only because it causes lots of problems for our
users and the developers).
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list