RFC: Consolidating the Cryptography library for a general release

> -----Original Message-----
> From: Robert Withers
>
> This is a request for comment on consolidating the Cryptography
> library for a general release.  What I mean by that is consolidating
> to a single Monticello package, that would allow users to one-click
> load the basic library.  Currently there is an implicit load order
> which most users don't know.  We still don't have Configuration
> support so that isn't a solution right now.
>
> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

> There is some working and useful code in MSCerts and I need to  
> review TLS
> for any dependencies.  Also the work that I started which  
> integrates SSL
> with Kom is there, I think in the tls package, so as long as we  
> don't delete
> them I'm ok with renaming them.  Were you planning on moving SSL  
> and SMIME
> into another repository or just renaming them within the Cryptography
> repository?

> I agree with you that this introduced some load
> dependencies.  Also the size of the classes themselves is not large  
> enough
> to really warrant their own packages.  We probably introduced more  
> problems
> and confusion then we solved.  So I agree with your suggestion and  
> would
> support having one cryptography package with all the component  
> algorithms,
> and then separate packages for applications.  I should also move my
> KeyHolder and my PasswordSaltAndStretch somewhere.  I'm not sure  
> they are
> components but they are not really applications either.  Suggestions?

>
> Ron
>
>> -----Original Message-----
>> From: Robert Withers
>>
>> This is a request for comment on consolidating the Cryptography
>> library for a general release.  What I mean by that is consolidating
>> to a single Monticello package, that would allow users to one-click
>> load the basic library.  Currently there is an implicit load order
>> which most users don't know.  We still don't have Configuration
>> support so that isn't a solution right now.
>>
>> If this idea is supported, I suggest we look at all the packages and
>> decide which are "in", then generate the Cryptography package with
>> these packages loaded.
>>
>> Those packages that are not included, like Cryptography-SMIME for
>> instance, should really be renamed to not have the Cryptography-
>> prefix.  The old versions can be deleted to keep things clean.
>>
>> Those packages that are selected, and are determined to be complete,
>> could be deleted as independent packages and we would just rely on
>> them being in the consolidated package and develop there when
>> needed.  After this first step is completed, we could reassign the
>> classes to a more compact categorization.
>>
>> Below is a list of the packages.  Please vote and if your vote is
>> yes, what are your package recommendations as described below.
>>
>> Rob
>>
>> Packages:
>> Those with a '*' in front are my suggestions as to which is to be
>> included in Cryptography.  Those with a '!' in front are my
>> suggestions as to which should be renamed away from Cryptography-.
>> Those with a '+++' are candidates for deletion, since they have been
>> superseded.
>>
>> * Cryptography-ARC2
>> * Cryptography-ASN1
>> * Cryptography-Core
>> * Cryptography-DES
>> * Cryptography-DSA
>> * Cryptography-ElGamal
>> * Cryptography-MD4
>> * Cryptography-MD5
>> * Cryptography-PKCS12
>> * Cryptography-RC4
>> * Cryptography-RSA
>> * Cryptography-RandomAndPrime
>> * Cryptography-Rijndael
>> * Cryptography-SHA1
>> * Cryptography-SHA256
>> ! Cryptography-SMIME
>> ! Cryptography-SSL
>> * Cryptography-Tests
>> * Cryptography-X509
>> +++Fortuna  (this exists in RandomAndPrime)
>> ! Cryptography-MSCerts
>> +++Cryptography-TLS (this is superseded by SSL)
>> OpenPGP
>>
>> _______________________________________________
>> Cryptography mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
>> cryptography
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>

> Here is my in-order list of packages for the Cryptography Configuration:
>
> Cryptography-Core
> Cryptography-ARC2
> Cryptography-RC4
> Cryptography-MD4
> Cryptography-MD5
> Cryptography-SHA1
> Cryptography-SHA256
> Cryptography-DES
> Cryptography-DSA
> Cryptography-RSA
> Cryptography-ElGamal
> Cryptography-Rijndael
> Cryptography-RandomAndPrime
> Cryptography-ASN1
> Cryptography-X509
> Cryptography-PKCS12
> Cryptography-Tests

> cheers,
> Rob
>
> On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:
>
> > 2007/4/21, Robert Withers <[hidden email]>:
> >> This is a request for comment on consolidating the Cryptography
> >> library for a general release.  What I mean by that is consolidating
> >> to a single Monticello package, that would allow users to one-click
> >> load the basic library.  Currently there is an implicit load order
> >> which most users don't know.  We still don't have Configuration
> >> support so that isn't a solution right now.
> >
> > What's the problem there? If you can load it with Monticello it should
> > be no problem to have a Configuration Map for it. I could even build
> > you one. Just tell me what you want in and in which order.
> >
> > Cheers
> > Philippe
> >
> >> If this idea is supported, I suggest we look at all the packages and
> >> decide which are "in", then generate the Cryptography package with
> >> these packages loaded.
> >>
> >> Those packages that are not included, like Cryptography-SMIME for
> >> instance, should really be renamed to not have the Cryptography-
> >> prefix.  The old versions can be deleted to keep things clean.
> >>
> >> Those packages that are selected, and are determined to be complete,
> >> could be deleted as independent packages and we would just rely on
> >> them being in the consolidated package and develop there when
> >> needed.  After this first step is completed, we could reassign the
> >> classes to a more compact categorization.
> >>
> >> Below is a list of the packages.  Please vote and if your vote is
> >> yes, what are your package recommendations as described below.
> >>
> >> Rob
> >>
> >> Packages:
> >> Those with a '*' in front are my suggestions as to which is to be
> >> included in Cryptography.  Those with a '!' in front are my
> >> suggestions as to which should be renamed away from Cryptography-.
> >> Those with a '+++' are candidates for deletion, since they have been
> >> superseded.
> >>
> >> * Cryptography-ARC2
> >> * Cryptography-ASN1
> >> * Cryptography-Core
> >> * Cryptography-DES
> >> * Cryptography-DSA
> >> * Cryptography-ElGamal
> >> * Cryptography-MD4
> >> * Cryptography-MD5
> >> * Cryptography-PKCS12
> >> * Cryptography-RC4
> >> * Cryptography-RSA
> >> * Cryptography-RandomAndPrime
> >> * Cryptography-Rijndael
> >> * Cryptography-SHA1
> >> * Cryptography-SHA256
> >> ! Cryptography-SMIME
> >> ! Cryptography-SSL
> >> * Cryptography-Tests
> >> * Cryptography-X509
> >> +++Fortuna  (this exists in RandomAndPrime)
> >> ! Cryptography-MSCerts
> >> +++Cryptography-TLS (this is superseded by SSL)
> >> OpenPGP
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >>
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
>
>

> -----Original Message-----
> From: Robert Withers [mailto:[hidden email]]
> Sent: Saturday, April 21, 2007 11:31 AM
> To: [hidden email]; Cryptography Team Development List
> Subject: Re: [Cryptography Team] RFC: Consolidating the Cryptography
> library fora general release
>
> Hi Ron,
>
>
> On Apr 20, 2007, at 7:53 PM, Ron Teitelbaum wrote:
>
> > Hi Rob,
> >
> > Very cool about the SMIME work I'm looking forward to working with it.
>
> I have one last bug to fix for signatures.
>
> > There is some working and useful code in MSCerts and I need to
> > review TLS
> > for any dependencies.  Also the work that I started which
> > integrates SSL
> > with Kom is there, I think in the tls package, so as long as we
> > don't delete
> > them I'm ok with renaming them.  Were you planning on moving SSL
> > and SMIME
> > into another repository or just renaming them within the Cryptography
> > repository?
>
> I was just going to re-categorize them and republish them as SSL and
> SMIME, but leave them in this repository.  I have already done this
> locally for SMIME, but I am waiting for the go ahead on the
> consolidation.
>
> > We originally separated them out so that someone could select which
> > components they needed.
>
> I thought it was done to assist with concurrent development, but most
> of it is stable now.
>
> > I agree with you that this introduced some load
> > dependencies.  Also the size of the classes themselves is not large
> > enough
> > to really warrant their own packages.  We probably introduced more
> > problems
> > and confusion then we solved.  So I agree with your suggestion and
> > would
> > support having one cryptography package with all the component
> > algorithms,
> > and then separate packages for applications.  I should also move my
> > KeyHolder and my PasswordSaltAndStretch somewhere.  I'm not sure
> > they are
> > components but they are not really applications either.  Suggestions?
>
> I think something in RC2 or something uses KeyHolder, et al.   Let's
> leave them in.
>
> So you agree with my package allocation?
>
> Rob
>
> >
> > Ron
> >
> >> -----Original Message-----
> >> From: Robert Withers
> >>
> >> This is a request for comment on consolidating the Cryptography
> >> library for a general release.  What I mean by that is consolidating
> >> to a single Monticello package, that would allow users to one-click
> >> load the basic library.  Currently there is an implicit load order
> >> which most users don't know.  We still don't have Configuration
> >> support so that isn't a solution right now.
> >>
> >> If this idea is supported, I suggest we look at all the packages and
> >> decide which are "in", then generate the Cryptography package with
> >> these packages loaded.
> >>
> >> Those packages that are not included, like Cryptography-SMIME for
> >> instance, should really be renamed to not have the Cryptography-
> >> prefix.  The old versions can be deleted to keep things clean.
> >>
> >> Those packages that are selected, and are determined to be complete,
> >> could be deleted as independent packages and we would just rely on
> >> them being in the consolidated package and develop there when
> >> needed.  After this first step is completed, we could reassign the
> >> classes to a more compact categorization.
> >>
> >> Below is a list of the packages.  Please vote and if your vote is
> >> yes, what are your package recommendations as described below.
> >>
> >> Rob
> >>
> >> Packages:
> >> Those with a '*' in front are my suggestions as to which is to be
> >> included in Cryptography.  Those with a '!' in front are my
> >> suggestions as to which should be renamed away from Cryptography-.
> >> Those with a '+++' are candidates for deletion, since they have been
> >> superseded.
> >>
> >> * Cryptography-ARC2
> >> * Cryptography-ASN1
> >> * Cryptography-Core
> >> * Cryptography-DES
> >> * Cryptography-DSA
> >> * Cryptography-ElGamal
> >> * Cryptography-MD4
> >> * Cryptography-MD5
> >> * Cryptography-PKCS12
> >> * Cryptography-RC4
> >> * Cryptography-RSA
> >> * Cryptography-RandomAndPrime
> >> * Cryptography-Rijndael
> >> * Cryptography-SHA1
> >> * Cryptography-SHA256
> >> ! Cryptography-SMIME
> >> ! Cryptography-SSL
> >> * Cryptography-Tests
> >> * Cryptography-X509
> >> +++Fortuna  (this exists in RandomAndPrime)
> >> ! Cryptography-MSCerts
> >> +++Cryptography-TLS (this is superseded by SSL)
> >> OpenPGP
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography

>
> On Apr 21, 2007, at 10:26 AM, Philippe Marschall wrote:
>
> > 2007/4/21, Robert Withers <[hidden email]>:
> >> Hi Philippe,
> >>
> >> I hadn't realized that Configurations had been fixed in 3.9.  They
> >> were broken badly in 3.8.
> >
> > They don't work out of the box in 3.9, you're right about that. I
> > don't know what the situation on 3.8.1 is.
>
> I'm sorry but I don't think it is suitable to deploy Cryptography
> using a mechanism that does not work out of the box.  It has been two
> cycles (3.8 and 3.9) where this problem has existed without being
> repaired.  We are trying to arrive at a solution to allow users to
> load Cryptography out of the box, so they can start using
> applications that are built on top of Cryptography, like SMIME and
> SSL.  I think consolidating the library makes perfect sense, and if
> someone needs a slimmed down version we can create one for them.  I'm
> sorry if a little frustration is coming through, but Monticello is a
> fantastic product that I use everyday, but we have tried to notify
> people of the problem with Configurations and nothing was done.  I
> would love to use it if it worked out of the box in 3.9.  Maybe a fix
> could be added to 3.10.

> >
> >> This would certainly be a solution to load
> >> the various Crypto packages, and it would have the advantage of
> >> allowing people to load a smaller subset for constrained devices.
> >> I'll take you up on you offer to build a Configuration file for us.
> >> Is it possible to nest one configuration inside of another?
> >
> > No.
>
> Bummer.
>
> >
> >> If I
> >> build a SSL configuration, I would want to load the Cryptography
> >> configuration with it.  O is this what Universes will deliver to us.
> >> Slightly confused.
> >
> > Universes supports dependencies afaik.
>
> Maybe this is now the solution, to add all packages to a Universe.  I
> wonder if Universes can be nested.

> >
> >> Here is my in-order list of packages for the Cryptography
> >> Configuration:
> >>
> >> Cryptography-Core
> >> Cryptography-ARC2
> >> Cryptography-RC4
> >> Cryptography-MD4
> >> Cryptography-MD5
> >> Cryptography-SHA1
> >> Cryptography-SHA256
> >> Cryptography-DES
> >> Cryptography-DSA
> >> Cryptography-RSA
> >> Cryptography-ElGamal
> >> Cryptography-Rijndael
> >> Cryptography-RandomAndPrime
> >> Cryptography-ASN1
> >> Cryptography-X509
> >> Cryptography-PKCS12
> >> Cryptography-Tests
> >
> > http://mc.lukas-renggli.ch/spielverderber/Cryptography-pmm.1.mcm
> > (I don't have the commit right for the cryptography project on SqS)
>
> I tried but I couldn't load it.  Where is the patch for Configurations?

> thanks and cheers,
> Rob
>
> >
> > Cheers
> > Philippe
> >
> >> cheers,
> >> Rob
> >>
> >> On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:
> >>
> >> > 2007/4/21, Robert Withers <[hidden email]>:
> >> >> This is a request for comment on consolidating the Cryptography
> >> >> library for a general release.  What I mean by that is
> >> consolidating
> >> >> to a single Monticello package, that would allow users to one-
> >> click
> >> >> load the basic library.  Currently there is an implicit load order
> >> >> which most users don't know.  We still don't have Configuration
> >> >> support so that isn't a solution right now.
> >> >
> >> > What's the problem there? If you can load it with Monticello it
> >> should
> >> > be no problem to have a Configuration Map for it. I could even
> >> build
> >> > you one. Just tell me what you want in and in which order.
> >> >
> >> > Cheers
> >> > Philippe
> >> >
> >> >> If this idea is supported, I suggest we look at all the
> >> packages and
> >> >> decide which are "in", then generate the Cryptography package with
> >> >> these packages loaded.
> >> >>
> >> >> Those packages that are not included, like Cryptography-SMIME for
> >> >> instance, should really be renamed to not have the Cryptography-
> >> >> prefix.  The old versions can be deleted to keep things clean.
> >> >>
> >> >> Those packages that are selected, and are determined to be
> >> complete,
> >> >> could be deleted as independent packages and we would just rely on
> >> >> them being in the consolidated package and develop there when
> >> >> needed.  After this first step is completed, we could reassign the
> >> >> classes to a more compact categorization.
> >> >>
> >> >> Below is a list of the packages.  Please vote and if your vote is
> >> >> yes, what are your package recommendations as described below.
> >> >>
> >> >> Rob
> >> >>
> >> >> Packages:
> >> >> Those with a '*' in front are my suggestions as to which is to be
> >> >> included in Cryptography.  Those with a '!' in front are my
> >> >> suggestions as to which should be renamed away from Cryptography-.
> >> >> Those with a '+++' are candidates for deletion, since they have
> >> been
> >> >> superseded.
> >> >>
> >> >> * Cryptography-ARC2
> >> >> * Cryptography-ASN1
> >> >> * Cryptography-Core
> >> >> * Cryptography-DES
> >> >> * Cryptography-DSA
> >> >> * Cryptography-ElGamal
> >> >> * Cryptography-MD4
> >> >> * Cryptography-MD5
> >> >> * Cryptography-PKCS12
> >> >> * Cryptography-RC4
> >> >> * Cryptography-RSA
> >> >> * Cryptography-RandomAndPrime
> >> >> * Cryptography-Rijndael
> >> >> * Cryptography-SHA1
> >> >> * Cryptography-SHA256
> >> >> ! Cryptography-SMIME
> >> >> ! Cryptography-SSL
> >> >> * Cryptography-Tests
> >> >> * Cryptography-X509
> >> >> +++Fortuna  (this exists in RandomAndPrime)
> >> >> ! Cryptography-MSCerts
> >> >> +++Cryptography-TLS (this is superseded by SSL)
> >> >> OpenPGP
> >> >>
> >> >> _______________________________________________
> >> >> Cryptography mailing list
> >> >> [hidden email]
> >> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> >> cryptography
> >> >>
> >> > _______________________________________________
> >> > Cryptography mailing list
> >> > [hidden email]
> >> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> > cryptography
> >>
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >>
> >>
> >>
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
>
>

> This is a request for comment on consolidating the Cryptography
> library for a general release.  What I mean by that is consolidating
> to a single Monticello package, that would allow users to one-click
> load the basic library.  Currently there is an implicit load order
> which most users don't know.  We still don't have Configuration
> support so that isn't a solution right now.
>
> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>