[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Should we settle on one SSL implementation?

On 10/24/07 13:09, Alan Cox wrote:
On Wed, Oct 24, 2007 at 12:14:04PM -0400, Bernardo Innocenti wrote:
Please, let's not add an external dependency for something
as trivial as a SHA1.

The positives to adding an external dependancy are you only have
to worry about bugs in one implementation.

That's right, in general.

But in this specific case, we're talking about adding a bulky
library and all of its dependencies to Python just to save 25
lines of duplicated code.

By doing so too carelessly, we easily create runtime or
build-time dependency loops that are hard to solve.

Surely, there must be a better way, such as creating
simpler libraries containing basic crypto algorithms.

We need a strong hash function as this replaces the previous weak hash +
memcmp when checking incoming glyphs for matches with the existing set
of server-resident glyphs. One could argue that this must be
cryptographically secure to avoid applications uploading misleading
glyph images.

Which presumably means they'll not be using SHA1 much longer - right ?

Uh?  I wasn't aware SHA1 has been broken (at least, not in
a practically exploitable way).

|___|   Bernardo Innocenti - http://www.codewiz.org/
 \___\  One Laptop Per Child - http://www.laptop.org/

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]