[Python-Dev] Cryptographic stuff for 2.3

M.-A. Lemburg mal@lemburg.com
Fri, 25 Apr 2003 10:02:26 +0200

Martin v. L=F6wis wrote:
> M.-A. Lemburg wrote:
>> That's really optimistic. Every CD vendor, mirror site, etc. in the
>> world hosting the Python distribution would have to go through the
>> business of evaluating whether it's legal to distribute Python or not
>> in their particular case.
> Every CD vendor, mirror site, etc. would have to perform a risk=20
> analysis, yes. That goes beyond analysing the legal status only - peopl=
> will usually also take into account what the risk of prosecution is.
> They already do that for all other software they distribute, and=20
> apparently come to the conclusion that the risk of being prosecuted is=20
> nearly zero.

In reality is probably is for most parts of the world. But why
put this burden on the casual user ?

>> Crypto is just too much (legal) work if you're serious about it.
> So then you would advise to remove the OpenSSL support from the Windows=
> distribution, and from Python altogether?

Hmm, I didn't know that the Windows installer comes with an SSL
module that includes OpenSSL. I'd strongly advise to make that
a separate download. At the very least, there should be a Windows
installer without that module and a note on the web-site mentioning
the problem and maybe linking to the URL I gave in my other mail.

In any case, the download page should have a note about the
use of crypto code and interfaces to crypto code to make things
safer for both the PSF and the user downloading the distribution.

> Because if not, why would it be bad to add more cryptographic packages=20
> to the standard Python distribution? Either you violate some law in som=
> country already by distributing Python from A to B, or you don't. Addin=
> another package doesn't change anything here.

I can't follow you're argument. This is like "you've robbed
one bank; it doesn't get worse if you rob another two".

I also don't understand your position in the light of the PSF's
intentions. The PSF is meant to protect the IP in Python -- how
does that fit with being careless about breaking law ?

>> I also don't really see a problem here: there are plenty good
>> crypto packages out there ready to be used.=20
> And it may be indeed the case that authors of such package fear the los=
> of reputation if competing packages were included into the Python=20
> distribution :-(

Is there ? pycrypto is all you need if you're into deep crypto.
The standard SSL support is enough crypt for most people and
that's already included in the distribution.

Marc-Andre Lemburg

Professional Python Software directly from the Source  (#1, Apr 25 2003)
 >>> Python/Zope Products & Consulting ...         http://www.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
EuroPython 2003, Charleroi, Belgium:                        60 days left