[issue8998] add crypto routines to stdlib
lorph
report at bugs.python.org
Tue Sep 21 10:32:59 CEST 2010
lorph <lorph1 at gmail.com> added the comment:
> The license of a software product cannot affect software that is not even aware of that said product.
I never claimed that the clause triggered for all software in existence. We are talking about OpenSSL being bundled with Python where Python is very much aware of OpenSSL. Provided the following 3 circumstances are met, the advertisement clause applies:
1. You are distributing Python with OpenSSL
2. You are "advertising".
3. Your advertising mentions features.
By mentioning features of Python, or even a feature of OpenSSL you don't even use (base64), by the wording of the license you are obligated to also advertise OpenSSL and Eric Young. This obviously has a chilling effect on the distribution and advertising of Python apps. Think about the 100 char blurb on every small web banner.
> In fact, if fast means "vulnerable to side-channel cryptanalysis" I'm firmly opposed to it, and I don't know if that's the case here. OpenSSL has at least been subject to significant attention in that regard.
LTC does address side-channel attacks, but this is a moot point since by using a high level language like Python, you are vulnerable to memory scanning since you cannot normally zero out Python strings (something you may wish to consider in the crypto API).
I'd also add that the "rounds" option should be left in for compatibility reasons. For easy usage, a default such as CBC could be specified. Otherwise, I don't think there is anything wrong with the API.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8998>
_______________________________________
More information about the Python-bugs-list
mailing list