[Pythonmac-SIG] Package Manager idea, adding a URL scheme

Bob Ippolito bob at redivi.com
Fri Oct 3 12:47:09 EDT 2003 

On Friday, Oct 3, 2003, at 12:04 America/New_York, Michael Hudson wrote:

> Bob Ippolito <bob at redivi.com> writes:
>
>> pyCrypto's license is the following (and is not dependent on any other
>> libraries):
>> ===================================================================
>> Distribute and use freely; there are no restrictions on further
>> dissemination and usage except those imposed by the laws of your
>> country of residence.  This software is provided "as is" without
>> warranty of fitness for use or suitability for any purpose, express
>> or implied. Use at your own risk or not at all.
>> ===================================================================
>>
>> Incorporating the code into commercial products is permitted; you do
>> not have to make source available or contribute your changes back
>> (though that would be nice).
>>
>> That sounds Python compatible to me :)  I think this problem is
>> solved. Crypto supports the following public key algorithms:
>> Public-key algorithms: RSA, DSA, ElGamal, qNEW.
>>
>> ElGamal is what PGP uses, IIRC.
>>
>> What's the procedure to convince Guido that Python should REALLY have
>> this module as part of any distribution that also includes PackMan?
>
> There are ghastly legal issues that obstruct crypto support (there
> have been threads on python-dev about this) and there's also a code
> quality/ease of maintenence issue about pyCrypto itself (I have no
> idea about it in this regard).

According to the homepage:
With the relaxing of US export controls for encryption software, it's 
now possible to distribute cryptographic source code and export it from 
the US, so now anyone in the world can download the Python Cryptography 
Toolkit.

What are the remaining legal issues?  Can you point me to any 
semi-recent threads?  I thought that since the laws were eased up in 
the US it was pretty safe to throw around cryptography software.

Note that the intended use for PackMan isn't cryptography per se, it's 
cryptographic authentication.  The documents themselves won't be 
encrypted, but will be signed cryptographically for authentication 
purposes only.

As for code quality / ease of maintenance, a cursory glance of the 
source code makes me think that it looks clean, commented where it 
matters, and it's got unit tests that are less than trivial.  A look at 
CVS shows that it the code is very stable (most of it hasn't been 
updated in 5 months or more), but there is still development/fixes (as 
recent as 3 weeks ago).  I can attest to the fact that the code works, 
because I've seen it work in Twisted (the SSH client and server depend 
on Crypto, for example).  As long as Twisted is around, Crypto will be 
around (at least one Twisted team member has access to Crypto CVS), 
which will presumably quite a long time.  The code is also very simple, 
it seems to be as simple as possible but no simpler.  Most of the code 
that looks strange is commented, for example:

(from crypto/PublicKey/qNEW.py)
# Ensure that p-1 is a multiple of q
p = p - (p % (2*obj.q)-1)

Not including higher level wrappers, these are the projects that I 
could easily find that depend on pycrypto to various degrees (which 
ensures that there's a user base that cares to keep pycrypto alive, 
working, and bug free):
	Twisted
		http://www.twistedmatrix.com/
		absolutely necessary for Conch, the SSH2 client/server, optional for 
AES, DES, RSA, DSA elsewhere (encrypted TAPs, for example)
	secsh
		http://www.lag.net/~robey/secsh/
		the second pure-python-except-for-pycrypto implementation of ssh2 - 
currently client only
	PythonOtp
		https://moin.conectiva.com.br/PythonOtp
		implements support for all requirements, recommendations, and 
optional features described in RFC2289. This RFC defines a standard for 
the implementation of OTP - one-time passwords (optional dependency on 
pycrypto for md4)
	hashtar
		http://nitace.bsd.uchicago.edu:8080/hashtar
		an encrypted archive utility designed for   secure archiving to media 
vulnerable to corruption
	PyHIP
		http://honor.trusecure.com/pipermail/hipsec/2003-July/000001.html 
(not sure if it has a real homepage yet)
		Python Host Identity Protocol implementation (mobility/multihoming), 
I think it has something to do with ipv6
	web2ldap
		http://www.web2ldap.de/
		A generic LDAPv3 client which does not make any assumptions     about 
the tree structure or LDAP schema (optionally uses pycrypto for md4)
	Cwm
		http://www.w3.org/2000/10/swap/doc/cwm.html
		Cwm is a general-purpose data processor for the semantic web...  
(looks like it intends to use pycrypto, if it does not already, the 
code is newer than the html that suggests it is moving from amkCrypto 
to pycrypto, same author)
	TechnoBot
		http://joi.ito.com/joiwiki/TechnoBot
		Joi's Technorati Jabber Alert System and Technorati Cosmos Sidebar 
Maker  (needs pycrypto for hashing)
	dnd
		http://thayer.dartmouth.edu/~sting/sw.shtml
		A Python library for talking to Dartmouth Name Directory servers.

-bob

More information about the Pythonmac-SIG mailing list