[Python-Dev] Cryptographic stuff for 2.3

M.-A. Lemburg mal@lemburg.com
Mon, 28 Apr 2003 09:53:35 +0200 

Moore, Paul wrote:
> From: M.-A. Lemburg [mailto:mal@lemburg.com]
> 
>>In reality it probably is for most parts of the world. But
>>why put this burden on the casual user ?
> 
> Speaking as a "casual user", I very rarely need or use crypto
> software. However, when I do need it, having it "built in" is
> a major benefit - most of the crypto packages either have
> dependencies I'm not familiar with or don't have, or go far
> too deep into crypto theory for me to follow. At the end of
> the day, all I want is simple stuff, like for urllib to get a
> "https" web page for me, "just like my browser does" (ie, with
> no thought on my part...)

Paul, that's the wrong approach to the problem. Crypto
code causes legal problems not ones which have to do with
how to wrap up distributions.

There's hardly anything to argue about here, unfortunately.

>>>>Crypto is just too much (legal) work if you're serious
>>>>about it.
>>>
>>>So then you would advise to remove the OpenSSL support
>>>from the Windows distribution, and from Python altogether?
>>
>>Hmm, I didn't know that the Windows installer comes with an SSL
>>module that includes OpenSSL. I'd strongly advise to make that
>>a separate download.
> 
> If you did, I'd expect that 99% of Windows users would perceive
> that as "Python can't handle https URLs". Having a separate
> download might be enough, as long as it was utterly trivial -
> download the package, click to install, done. All dependencies
> included, no extra work.

Right; and that would be possible... not only for Windows,
but for most supported platforms via distutils.

>>Is there ? pycrypto is all you need if you're into deep crypto.
> 
> But pycrypto (at least when I've looked into it) definitely *isn't*
> just a 1-click install, and a quick Google search reveals no way
> of getting a prebuilt Windows binary. Of course, you say "if you're
> into deep crypto", so maybe you'd say that expecting users to build
> their own isn't unreasonable at that level.
> 
> Actually, m2crypto is another candidate, and it does include
> Windows binaries (but they are a bit fiddly to install)...

Both packages are maintained outside the Python distribution,
so there's nothing much we can do to change that situation.
I was talking about the code currently integrated in Python
itself.

>>The standard SSL support is enough crypt for most people and
>>that's already included in the distribution.
> 
> But you were arguing to take it out...

I am argueing to take out the OpenSSL code currently
shipped with the Windows installer, not the wrapper
code in the _ssl module.

> Personally, I'd like the existing stuff to stay as-is. 

I can understand your point, but we have to do something
about the current situation, unless we want to put the
whole Python distribution at risk of being illegally
exported/imported/used in some parts of the world.

Making the crypto part of the distribution would solve
the problem and only introduce a mild inconvenience for
casual users.

> I don't
> particularly see the need for more crypto stuff in the core, but I'd
> like to see a well-maintained, easy to install, "sanctioned" crypto
> package for people who want to either use crypto "for real", or just
> investigate it.

That's a feature request :-)

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Software directly from the Source  (#1, Apr 28 2003)
 >>> Python/Zope Products & Consulting ...         http://www.egenix.com/
 >>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________
EuroPython 2003, Charleroi, Belgium:                        57 days left