Should we settle on one SSL implementation?

Pekka Pietikainen pp at ee.oulu.fi
Thu Oct 25 11:34:11 UTC 2007


On Wed, Oct 24, 2007 at 02:32:59PM -0400, Bernardo Innocenti wrote:
> On 10/24/07 13:09, Alan Cox wrote:
> >On Wed, Oct 24, 2007 at 12:14:04PM -0400, Bernardo Innocenti wrote:
> >>Please, let's not add an external dependency for something
> >>as trivial as a SHA1.
> >
> >The positives to adding an external dependancy are you only have
> >to worry about bugs in one implementation.
> 
> That's right, in general.
> 
> But in this specific case, we're talking about adding a bulky
> library and all of its dependencies to Python just to save 25
> lines of duplicated code.
Well, the point isn't saving 25 lines of code, the point is also having 
something that is certified to do SHA1 correctly. The 25 line version
isn't, even though it very likely is just as good... 

Now, having NSS depend on something small & tiny & certified for sha1
(even if it's nss-hashes inside the same tarball that could be split up
with rpm) that other stuff could use as well might be useful.
No idea what chance of that happening ever there is...

-- 
Pekka Pietikainen




More information about the fedora-devel-list mailing list