[Python-Dev] Cryptographic stuff for 2.3

Moore, Paul Paul.Moore@atosorigin.com
Fri, 25 Apr 2003 09:59:52 +0100 

From: M.-A. Lemburg [mailto:mal@lemburg.com]
> In reality is probably is for most parts of the world. But
> why put this burden on the casual user ?

Speaking as a "casual user", I very rarely need or use crypto
software. However, when I do need it, having it "built in" is
a major benefit - most of the crypto packages either have
dependencies I'm not familiar with or don't have, or go far
too deep into crypto theory for me to follow. At the end of
the day, all I want is simple stuff, like for urllib to get a
"https" web page for me, "just like my browser does" (ie, with
no thought on my part...)

>>> Crypto is just too much (legal) work if you're serious
>>> about it.
>>=20
>> So then you would advise to remove the OpenSSL support
>> from the Windows distribution, and from Python altogether?
>
> Hmm, I didn't know that the Windows installer comes with an SSL
> module that includes OpenSSL. I'd strongly advise to make that
> a separate download.

If you did, I'd expect that 99% of Windows users would perceive
that as "Python can't handle https URLs". Having a separate
download might be enough, as long as it was utterly trivial -
download the package, click to install, done. All dependencies
included, no extra work.

> Is there ? pycrypto is all you need if you're into deep crypto.

But pycrypto (at least when I've looked into it) definitely *isn't*
just a 1-click install, and a quick Google search reveals no way
of getting a prebuilt Windows binary. Of course, you say "if you're
into deep crypto", so maybe you'd say that expecting users to build
their own isn't unreasonable at that level.

Actually, m2crypto is another candidate, and it does include
Windows binaries (but they are a bit fiddly to install)...

> The standard SSL support is enough crypt for most people and
> that's already included in the distribution.

But you were arguing to take it out...

Personally, I'd like the existing stuff to stay as-is. I don't
particularly see the need for more crypto stuff in the core, but I'd
like to see a well-maintained, easy to install, "sanctioned" crypto
package for people who want to either use crypto "for real", or just
investigate it.

Paul.