Message 108926 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lemburg
Recipients	daniel.urban, debatem1, eric.araujo, exarkun, gdamjan, giampaolo.rodola, gregory.p.smith, heikki, jsamuel, lemburg, loewis, mcrute, pitrou
Date	2010-06-29.18:25:12
SpamBayes Score	0.0046958704
Marked as misclassified	No
Message-id	<4C2A3A87.6090107@egenix.com>
In-reply-to	<1277833756.3349.0.camel@localhost.localdomain>

Content
Antoine Pitrou wrote: > > Antoine Pitrou <pitrou@free.fr> added the comment: > >> If we are to require OpenSSL or some other crypto lib, > > We already depend on OpenSSL for both hashlib and ssl, this proposal > wouldn't change anything in this regard. hashlib can still works without OpenSSL and hash algorithms don't fall under crypto laws. ssl doesn't work without OpenSSL, but also doesn't require adding any crypto code to the stdlib. The main point that needs to be addressed is shipping Python with crypto code. If OpenSSL is optionally used, we're fine, but if we start shipping crypto code, things are more contrived. See http://rechten.uvt.nl/koops/cryptolaw/ for a survey. We're hosting the Python software on servers in The Netherlands, so have to follow the Wassenaar Arrangement if we include crypto code. Fortunately, that agreement includes a clause which pretty much exempts open source crypto code from export regulations. However, users of Python downloading installers with crypto software would import and use it in their resp. countries and that may get them into trouble, so they need to be warned if we decide to ship crypto code with Python. They way I understand Geremy's suggestion is to just include a wrapper for OpenSSL, so that's fine. The PEP should include a mention of the above to argue against putting e.g. pycrypto into the stdlib (not because it's poor software, much to the contrary, only because it causes lots of problems for our users and the developers).

Antoine Pitrou wrote:
> 
> Antoine Pitrou <pitrou@free.fr> added the comment:
> 
>> If we are to require OpenSSL or some other crypto lib,
> 
> We already depend on OpenSSL for both hashlib and ssl, this proposal
> wouldn't change anything in this regard.

hashlib can still works without OpenSSL and hash algorithms don't
fall under crypto laws. ssl doesn't work without OpenSSL, but also
doesn't require adding any crypto code to the stdlib.

The main point that needs to be addressed is shipping Python
with crypto code. If OpenSSL is optionally used, we're fine,
but if we start shipping crypto code, things are more contrived.

See http://rechten.uvt.nl/koops/cryptolaw/ for a survey.

We're hosting the Python software on servers in The Netherlands,
so have to follow the Wassenaar Arrangement if we include
crypto code. Fortunately, that agreement includes a clause which
pretty much exempts open source crypto code from export regulations.

However, users of Python downloading installers with crypto software
would import and use it in their resp. countries and that may get
them into trouble, so they need to be warned if we decide to
ship crypto code with Python.

They way I understand Geremy's suggestion is to just include a
wrapper for OpenSSL, so that's fine. The PEP should include a
mention of the above to argue against putting e.g. pycrypto
into the stdlib (not because it's poor software, much to the
contrary, only because it causes lots of problems for our
users and the developers).

History
Date	User	Action	Args
2010-06-29 18:25:14	lemburg	set	recipients: + lemburg, loewis, gregory.p.smith, exarkun, pitrou, giampaolo.rodola, gdamjan, heikki, eric.araujo, debatem1, daniel.urban, mcrute, jsamuel
2010-06-29 18:25:13	lemburg	link	issue8998 messages
2010-06-29 18:25:12	lemburg	create