Should we settle on one SSL implementation?
Bernardo Innocenti
bernie at codewiz.org
Wed Oct 24 18:32:59 UTC 2007
On 10/24/07 13:09, Alan Cox wrote:
> On Wed, Oct 24, 2007 at 12:14:04PM -0400, Bernardo Innocenti wrote:
>> Please, let's not add an external dependency for something
>> as trivial as a SHA1.
>
> The positives to adding an external dependancy are you only have
> to worry about bugs in one implementation.
That's right, in general.
But in this specific case, we're talking about adding a bulky
library and all of its dependencies to Python just to save 25
lines of duplicated code.
By doing so too carelessly, we easily create runtime or
build-time dependency loops that are hard to solve.
Surely, there must be a better way, such as creating
simpler libraries containing basic crypto algorithms.
>>> We need a strong hash function as this replaces the previous weak hash +
>>> memcmp when checking incoming glyphs for matches with the existing set
>>> of server-resident glyphs. One could argue that this must be
>>> cryptographically secure to avoid applications uploading misleading
>>> glyph images.
>
> Which presumably means they'll not be using SHA1 much longer - right ?
Uh? I wasn't aware SHA1 has been broken (at least, not in
a practically exploitable way).
--
\___/
|___| Bernardo Innocenti - http://www.codewiz.org/
\___\ One Laptop Per Child - http://www.laptop.org/
More information about the fedora-devel-list
mailing list