[Python-Dev] Cryptographic stuff for 2.3 (original) (raw)

M.-A. Lemburg mal@lemburg.com
Fri, 25 Apr 2003 10:02:26 +0200

Martin v. L=F6wis wrote:

M.-A. Lemburg wrote: =20

That's really optimistic. Every CD vendor, mirror site, etc. in the world hosting the Python distribution would have to go through the business of evaluating whether it's legal to distribute Python or not in their particular case. =20 Every CD vendor, mirror site, etc. would have to perform a risk=20 analysis, yes. That goes beyond analysing the legal status only - peopl= e=20 will usually also take into account what the risk of prosecution is. They already do that for all other software they distribute, and=20 apparently come to the conclusion that the risk of being prosecuted is=20 nearly zero.

In reality is probably is for most parts of the world. But why put this burden on the casual user ?

Crypto is just too much (legal) work if you're serious about it. =20 So then you would advise to remove the OpenSSL support from the Windows= =20 distribution, and from Python altogether?

Hmm, I didn't know that the Windows installer comes with an SSL module that includes OpenSSL. I'd strongly advise to make that a separate download. At the very least, there should be a Windows installer without that module and a note on the web-site mentioning the problem and maybe linking to the URL I gave in my other mail.

In any case, the download page should have a note about the use of crypto code and interfaces to crypto code to make things safer for both the PSF and the user downloading the distribution.

Because if not, why would it be bad to add more cryptographic packages=20 to the standard Python distribution? Either you violate some law in som= e=20 country already by distributing Python from A to B, or you don't. Addin= g=20 another package doesn't change anything here.

I can't follow you're argument. This is like "you've robbed one bank; it doesn't get worse if you rob another two".

I also don't understand your position in the light of the PSF's intentions. The PSF is meant to protect the IP in Python -- how does that fit with being careless about breaking law ?

I also don't really see a problem here: there are plenty good crypto packages out there ready to be used.=20 =20 And it may be indeed the case that authors of such package fear the los= s=20 of reputation if competing packages were included into the Python=20 distribution :-(

Is there ? pycrypto is all you need if you're into deep crypto. The standard SSL support is enough crypt for most people and that's already included in the distribution.

--=20 Marc-Andre Lemburg eGenix.com

Professional Python Software directly from the Source (#1, Apr 25 2003)

Python/Zope Products & Consulting ... http://www.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

EuroPython 2003, Charleroi, Belgium: 60 days left