[Cryptography-dev] Bundling OpenSSL
Zooko Wilcox-OHearn
zooko at leastauthority.com
Mon Oct 7 23:56:08 CEST 2013
[in response to
https://mail.python.org/pipermail/cryptography-dev/2013-October/000091.html
]
> 1 Do we want to bundle a backing library to ensure that there is always a minimal level of support?
We've found it necessary to do this in pycryptopp, even though it
means we support both the bundled and non-bundled builds.
> 2 Do we want to bundle OpenSSL or is there another backing library that we'd want to bundle? (Easier to build, more portable etc?)
I personally wouldn't recommend OpenSSL, because its source code is a
mess and it has a bad reputation among cryptographers who've looked at
it (by which I mean Matt Green).
When we faced this decision in 1999, and then when we faced it again
in 2006, we chose, both times, Crypto++. This has worked out
acceptably well for us, and I'm not eager to move pycryptopp from
Crypto++ to anything else, since the current thing is working, and
changing it would be a pain, and would introduce risk of
bugs/vulns/regressions.
I would love to share code, and hard-earned experience, and mutual
support between the pyca and pycryptopp projects! So please feel free
to copy what we do.
If I were starting over again today I would probably choose Botan over
Crypto++, because Botan is more actively developed nowadays, and
because its primary author and maintainer has provided some Python
wrappers.
If you are going to go with OpenSSL, you should of course try to
benefit from the work that has gone into pyOpenSSL. That includes some
work for bundling a copy of the OpenSSL libs into the resulting
pyOpenSSL distributions.
Regards,
Zooko Wilcox-O'Hearn
Founder, CEO, and Customer Support Rep
https://LeastAuthority.com
Freedom matters.
More information about the Cryptography-dev
mailing list