[issue8998] add crypto routines to stdlib

lorph report at bugs.python.org
Sun Sep 19 02:09:00 CEST 2010

lorph <lorph1 at gmail.com> added the comment:

> It certainly makes more sense than making Python depend on *several* crypto libraries.

Since libtomcrypt is public domain, you could incorporate the source into the tree without making it a binary dependency. The same cannot be said for OpenSSL. I certainly wouldn't mind having 1 dependency on NSS, but having 2 modules depend on OpenSSL is a step in the wrong direction.

> As for the licensing restriction, it doesn't seem to disturb many Python users. It's the first time I see someone complaining about it.

It took several years until someone like Marc-Andre Lemburg to find that the Python website might be violating that license. Perhaps the reason is because no one bothers to read licenses carefully. People are probably violating the license without knowing it.

If you take a look at the clause "All advertising materials mentioning features or use of this software must display the following acknowledgment", you will find at least 2 problems. 

One is that if you mention something like "base64" in whatever could be deemed "advertising", you will be subject to this clause because base64 is a feature of OpenSSL, even if you don't use their implementation. Another problem is the difference between the clause "features or use of this software", which is semantically different from "features of this software or use of this software".

Is it worth the risk to depend on Eric Young's proclivity to sue now that he works for RSA and produces competing software called BSAFE? Maybe it is for you, but certainly not for me.


Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list