[in response to https://mail.python.org/pipermail/cryptography-dev/2013-October/000091.html ]
1 Do we want to bundle a backing library to ensure that there is always a minimal level of support?
We've found it necessary to do this in pycryptopp, even though it means we support both the bundled and non-bundled builds.
2 Do we want to bundle OpenSSL or is there another backing library that we'd want to bundle? (Easier to build, more portable etc?)
I personally wouldn't recommend OpenSSL, because its source code is a mess and it has a bad reputation among cryptographers who've looked at it (by which I mean Matt Green). When we faced this decision in 1999, and then when we faced it again in 2006, we chose, both times, Crypto++. This has worked out acceptably well for us, and I'm not eager to move pycryptopp from Crypto++ to anything else, since the current thing is working, and changing it would be a pain, and would introduce risk of bugs/vulns/regressions. I would love to share code, and hard-earned experience, and mutual support between the pyca and pycryptopp projects! So please feel free to copy what we do. If I were starting over again today I would probably choose Botan over Crypto++, because Botan is more actively developed nowadays, and because its primary author and maintainer has provided some Python wrappers. If you are going to go with OpenSSL, you should of course try to benefit from the work that has gone into pyOpenSSL. That includes some work for bundling a copy of the OpenSSL libs into the resulting pyOpenSSL distributions. Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep https://LeastAuthority.com Freedom matters.
participants (4)
-
Christian Heimes -
Donald Stufft -
Paul Kehrer -
Zooko Wilcox-OHearn