RFC: Consolidating the Cryptography library for a general release

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC: Consolidating the Cryptography library for a general release

Rob Withers
This is a request for comment on consolidating the Cryptography  
library for a general release.  What I mean by that is consolidating  
to a single Monticello package, that would allow users to one-click  
load the basic library.  Currently there is an implicit load order  
which most users don't know.  We still don't have Configuration  
support so that isn't a solution right now.

If this idea is supported, I suggest we look at all the packages and  
decide which are "in", then generate the Cryptography package with  
these packages loaded.

Those packages that are not included, like Cryptography-SMIME for  
instance, should really be renamed to not have the Cryptography-  
prefix.  The old versions can be deleted to keep things clean.

Those packages that are selected, and are determined to be complete,  
could be deleted as independent packages and we would just rely on  
them being in the consolidated package and develop there when  
needed.  After this first step is completed, we could reassign the  
classes to a more compact categorization.

Below is a list of the packages.  Please vote and if your vote is  
yes, what are your package recommendations as described below.

Rob

Packages:
Those with a '*' in front are my suggestions as to which is to be  
included in Cryptography.  Those with a '!' in front are my  
suggestions as to which should be renamed away from Cryptography-.  
Those with a '+++' are candidates for deletion, since they have been  
superseded.

* Cryptography-ARC2
* Cryptography-ASN1
* Cryptography-Core
* Cryptography-DES
* Cryptography-DSA
* Cryptography-ElGamal
* Cryptography-MD4
* Cryptography-MD5
* Cryptography-PKCS12
* Cryptography-RC4
* Cryptography-RSA
* Cryptography-RandomAndPrime
* Cryptography-Rijndael
* Cryptography-SHA1
* Cryptography-SHA256
! Cryptography-SMIME
! Cryptography-SSL
* Cryptography-Tests
* Cryptography-X509
+++Fortuna  (this exists in RandomAndPrime)
! Cryptography-MSCerts
+++Cryptography-TLS (this is superseded by SSL)
OpenPGP

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: RFC: Consolidating the Cryptography library fora general release

Ron Teitelbaum
Hi Rob,

Very cool about the SMIME work I'm looking forward to working with it.

There is some working and useful code in MSCerts and I need to review TLS
for any dependencies.  Also the work that I started which integrates SSL
with Kom is there, I think in the tls package, so as long as we don't delete
them I'm ok with renaming them.  Were you planning on moving SSL and SMIME
into another repository or just renaming them within the Cryptography
repository?

We originally separated them out so that someone could select which
components they needed.  I agree with you that this introduced some load
dependencies.  Also the size of the classes themselves is not large enough
to really warrant their own packages.  We probably introduced more problems
and confusion then we solved.  So I agree with your suggestion and would
support having one cryptography package with all the component algorithms,
and then separate packages for applications.  I should also move my
KeyHolder and my PasswordSaltAndStretch somewhere.  I'm not sure they are
components but they are not really applications either.  Suggestions?

Ron

> -----Original Message-----
> From: Robert Withers
>
> This is a request for comment on consolidating the Cryptography
> library for a general release.  What I mean by that is consolidating
> to a single Monticello package, that would allow users to one-click
> load the basic library.  Currently there is an implicit load order
> which most users don't know.  We still don't have Configuration
> support so that isn't a solution right now.
>
> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library fora general release

Rob Withers
Hi Ron,


On Apr 20, 2007, at 7:53 PM, Ron Teitelbaum wrote:

> Hi Rob,
>
> Very cool about the SMIME work I'm looking forward to working with it.

I have one last bug to fix for signatures.

> There is some working and useful code in MSCerts and I need to  
> review TLS
> for any dependencies.  Also the work that I started which  
> integrates SSL
> with Kom is there, I think in the tls package, so as long as we  
> don't delete
> them I'm ok with renaming them.  Were you planning on moving SSL  
> and SMIME
> into another repository or just renaming them within the Cryptography
> repository?

I was just going to re-categorize them and republish them as SSL and  
SMIME, but leave them in this repository.  I have already done this  
locally for SMIME, but I am waiting for the go ahead on the  
consolidation.

> We originally separated them out so that someone could select which
> components they needed.

I thought it was done to assist with concurrent development, but most  
of it is stable now.

> I agree with you that this introduced some load
> dependencies.  Also the size of the classes themselves is not large  
> enough
> to really warrant their own packages.  We probably introduced more  
> problems
> and confusion then we solved.  So I agree with your suggestion and  
> would
> support having one cryptography package with all the component  
> algorithms,
> and then separate packages for applications.  I should also move my
> KeyHolder and my PasswordSaltAndStretch somewhere.  I'm not sure  
> they are
> components but they are not really applications either.  Suggestions?

I think something in RC2 or something uses KeyHolder, et al.   Let's  
leave them in.

So you agree with my package allocation?

Rob

>
> Ron
>
>> -----Original Message-----
>> From: Robert Withers
>>
>> This is a request for comment on consolidating the Cryptography
>> library for a general release.  What I mean by that is consolidating
>> to a single Monticello package, that would allow users to one-click
>> load the basic library.  Currently there is an implicit load order
>> which most users don't know.  We still don't have Configuration
>> support so that isn't a solution right now.
>>
>> If this idea is supported, I suggest we look at all the packages and
>> decide which are "in", then generate the Cryptography package with
>> these packages loaded.
>>
>> Those packages that are not included, like Cryptography-SMIME for
>> instance, should really be renamed to not have the Cryptography-
>> prefix.  The old versions can be deleted to keep things clean.
>>
>> Those packages that are selected, and are determined to be complete,
>> could be deleted as independent packages and we would just rely on
>> them being in the consolidated package and develop there when
>> needed.  After this first step is completed, we could reassign the
>> classes to a more compact categorization.
>>
>> Below is a list of the packages.  Please vote and if your vote is
>> yes, what are your package recommendations as described below.
>>
>> Rob
>>
>> Packages:
>> Those with a '*' in front are my suggestions as to which is to be
>> included in Cryptography.  Those with a '!' in front are my
>> suggestions as to which should be renamed away from Cryptography-.
>> Those with a '+++' are candidates for deletion, since they have been
>> superseded.
>>
>> * Cryptography-ARC2
>> * Cryptography-ASN1
>> * Cryptography-Core
>> * Cryptography-DES
>> * Cryptography-DSA
>> * Cryptography-ElGamal
>> * Cryptography-MD4
>> * Cryptography-MD5
>> * Cryptography-PKCS12
>> * Cryptography-RC4
>> * Cryptography-RSA
>> * Cryptography-RandomAndPrime
>> * Cryptography-Rijndael
>> * Cryptography-SHA1
>> * Cryptography-SHA256
>> ! Cryptography-SMIME
>> ! Cryptography-SSL
>> * Cryptography-Tests
>> * Cryptography-X509
>> +++Fortuna  (this exists in RandomAndPrime)
>> ! Cryptography-MSCerts
>> +++Cryptography-TLS (this is superseded by SSL)
>> OpenPGP
>>
>> _______________________________________________
>> Cryptography mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
>> cryptography
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Philippe Marschall
In reply to this post by Rob Withers
2007/4/21, Robert Withers <[hidden email]>:
> This is a request for comment on consolidating the Cryptography
> library for a general release.  What I mean by that is consolidating
> to a single Monticello package, that would allow users to one-click
> load the basic library.  Currently there is an implicit load order
> which most users don't know.  We still don't have Configuration
> support so that isn't a solution right now.

What's the problem there? If you can load it with Monticello it should
be no problem to have a Configuration Map for it. I could even build
you one. Just tell me what you want in and in which order.

Cheers
Philippe

> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Rob Withers
Hi Philippe,

I hadn't realized that Configurations had been fixed in 3.9.  They  
were broken badly in 3.8.  This would certainly be a solution to load  
the various Crypto packages, and it would have the advantage of  
allowing people to load a smaller subset for constrained devices.    
I'll take you up on you offer to build a Configuration file for us.    
Is it possible to nest one configuration inside of another?   If I  
build a SSL configuration, I would want to load the Cryptography  
configuration with it.  O is this what Universes will deliver to us.  
Slightly confused.

Here is my in-order list of packages for the Cryptography Configuration:

Cryptography-Core
Cryptography-ARC2
Cryptography-RC4
Cryptography-MD4
Cryptography-MD5
Cryptography-SHA1
Cryptography-SHA256
Cryptography-DES
Cryptography-DSA
Cryptography-RSA
Cryptography-ElGamal
Cryptography-Rijndael
Cryptography-RandomAndPrime
Cryptography-ASN1
Cryptography-X509
Cryptography-PKCS12
Cryptography-Tests

cheers,
Rob

On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:

> 2007/4/21, Robert Withers <[hidden email]>:
>> This is a request for comment on consolidating the Cryptography
>> library for a general release.  What I mean by that is consolidating
>> to a single Monticello package, that would allow users to one-click
>> load the basic library.  Currently there is an implicit load order
>> which most users don't know.  We still don't have Configuration
>> support so that isn't a solution right now.
>
> What's the problem there? If you can load it with Monticello it should
> be no problem to have a Configuration Map for it. I could even build
> you one. Just tell me what you want in and in which order.
>
> Cheers
> Philippe
>
>> If this idea is supported, I suggest we look at all the packages and
>> decide which are "in", then generate the Cryptography package with
>> these packages loaded.
>>
>> Those packages that are not included, like Cryptography-SMIME for
>> instance, should really be renamed to not have the Cryptography-
>> prefix.  The old versions can be deleted to keep things clean.
>>
>> Those packages that are selected, and are determined to be complete,
>> could be deleted as independent packages and we would just rely on
>> them being in the consolidated package and develop there when
>> needed.  After this first step is completed, we could reassign the
>> classes to a more compact categorization.
>>
>> Below is a list of the packages.  Please vote and if your vote is
>> yes, what are your package recommendations as described below.
>>
>> Rob
>>
>> Packages:
>> Those with a '*' in front are my suggestions as to which is to be
>> included in Cryptography.  Those with a '!' in front are my
>> suggestions as to which should be renamed away from Cryptography-.
>> Those with a '+++' are candidates for deletion, since they have been
>> superseded.
>>
>> * Cryptography-ARC2
>> * Cryptography-ASN1
>> * Cryptography-Core
>> * Cryptography-DES
>> * Cryptography-DSA
>> * Cryptography-ElGamal
>> * Cryptography-MD4
>> * Cryptography-MD5
>> * Cryptography-PKCS12
>> * Cryptography-RC4
>> * Cryptography-RSA
>> * Cryptography-RandomAndPrime
>> * Cryptography-Rijndael
>> * Cryptography-SHA1
>> * Cryptography-SHA256
>> ! Cryptography-SMIME
>> ! Cryptography-SSL
>> * Cryptography-Tests
>> * Cryptography-X509
>> +++Fortuna  (this exists in RandomAndPrime)
>> ! Cryptography-MSCerts
>> +++Cryptography-TLS (this is superseded by SSL)
>> OpenPGP
>>
>> _______________________________________________
>> Cryptography mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
>> cryptography
>>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Philippe Marschall
2007/4/21, Robert Withers <[hidden email]>:
> Hi Philippe,
>
> I hadn't realized that Configurations had been fixed in 3.9.  They
> were broken badly in 3.8.

They don't work out of the box in 3.9, you're right about that. I
don't know what the situation on 3.8.1 is.

> This would certainly be a solution to load
> the various Crypto packages, and it would have the advantage of
> allowing people to load a smaller subset for constrained devices.
> I'll take you up on you offer to build a Configuration file for us.
> Is it possible to nest one configuration inside of another?

No.

> If I
> build a SSL configuration, I would want to load the Cryptography
> configuration with it.  O is this what Universes will deliver to us.
> Slightly confused.

Universes supports dependencies afaik.

> Here is my in-order list of packages for the Cryptography Configuration:
>
> Cryptography-Core
> Cryptography-ARC2
> Cryptography-RC4
> Cryptography-MD4
> Cryptography-MD5
> Cryptography-SHA1
> Cryptography-SHA256
> Cryptography-DES
> Cryptography-DSA
> Cryptography-RSA
> Cryptography-ElGamal
> Cryptography-Rijndael
> Cryptography-RandomAndPrime
> Cryptography-ASN1
> Cryptography-X509
> Cryptography-PKCS12
> Cryptography-Tests

http://mc.lukas-renggli.ch/spielverderber/Cryptography-pmm.1.mcm
(I don't have the commit right for the cryptography project on SqS)

Cheers
Philippe

> cheers,
> Rob
>
> On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:
>
> > 2007/4/21, Robert Withers <[hidden email]>:
> >> This is a request for comment on consolidating the Cryptography
> >> library for a general release.  What I mean by that is consolidating
> >> to a single Monticello package, that would allow users to one-click
> >> load the basic library.  Currently there is an implicit load order
> >> which most users don't know.  We still don't have Configuration
> >> support so that isn't a solution right now.
> >
> > What's the problem there? If you can load it with Monticello it should
> > be no problem to have a Configuration Map for it. I could even build
> > you one. Just tell me what you want in and in which order.
> >
> > Cheers
> > Philippe
> >
> >> If this idea is supported, I suggest we look at all the packages and
> >> decide which are "in", then generate the Cryptography package with
> >> these packages loaded.
> >>
> >> Those packages that are not included, like Cryptography-SMIME for
> >> instance, should really be renamed to not have the Cryptography-
> >> prefix.  The old versions can be deleted to keep things clean.
> >>
> >> Those packages that are selected, and are determined to be complete,
> >> could be deleted as independent packages and we would just rely on
> >> them being in the consolidated package and develop there when
> >> needed.  After this first step is completed, we could reassign the
> >> classes to a more compact categorization.
> >>
> >> Below is a list of the packages.  Please vote and if your vote is
> >> yes, what are your package recommendations as described below.
> >>
> >> Rob
> >>
> >> Packages:
> >> Those with a '*' in front are my suggestions as to which is to be
> >> included in Cryptography.  Those with a '!' in front are my
> >> suggestions as to which should be renamed away from Cryptography-.
> >> Those with a '+++' are candidates for deletion, since they have been
> >> superseded.
> >>
> >> * Cryptography-ARC2
> >> * Cryptography-ASN1
> >> * Cryptography-Core
> >> * Cryptography-DES
> >> * Cryptography-DSA
> >> * Cryptography-ElGamal
> >> * Cryptography-MD4
> >> * Cryptography-MD5
> >> * Cryptography-PKCS12
> >> * Cryptography-RC4
> >> * Cryptography-RSA
> >> * Cryptography-RandomAndPrime
> >> * Cryptography-Rijndael
> >> * Cryptography-SHA1
> >> * Cryptography-SHA256
> >> ! Cryptography-SMIME
> >> ! Cryptography-SSL
> >> * Cryptography-Tests
> >> * Cryptography-X509
> >> +++Fortuna  (this exists in RandomAndPrime)
> >> ! Cryptography-MSCerts
> >> +++Cryptography-TLS (this is superseded by SSL)
> >> OpenPGP
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >>
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
>
>
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Rob Withers

On Apr 21, 2007, at 10:26 AM, Philippe Marschall wrote:

> 2007/4/21, Robert Withers <[hidden email]>:
>> Hi Philippe,
>>
>> I hadn't realized that Configurations had been fixed in 3.9.  They
>> were broken badly in 3.8.
>
> They don't work out of the box in 3.9, you're right about that. I
> don't know what the situation on 3.8.1 is.

I'm sorry but I don't think it is suitable to deploy Cryptography  
using a mechanism that does not work out of the box.  It has been two  
cycles (3.8 and 3.9) where this problem has existed without being  
repaired.  We are trying to arrive at a solution to allow users to  
load Cryptography out of the box, so they can start using  
applications that are built on top of Cryptography, like SMIME and  
SSL.  I think consolidating the library makes perfect sense, and if  
someone needs a slimmed down version we can create one for them.  I'm  
sorry if a little frustration is coming through, but Monticello is a  
fantastic product that I use everyday, but we have tried to notify  
people of the problem with Configurations and nothing was done.  I  
would love to use it if it worked out of the box in 3.9.  Maybe a fix  
could be added to 3.10.

>
>> This would certainly be a solution to load
>> the various Crypto packages, and it would have the advantage of
>> allowing people to load a smaller subset for constrained devices.
>> I'll take you up on you offer to build a Configuration file for us.
>> Is it possible to nest one configuration inside of another?
>
> No.

Bummer.

>
>> If I
>> build a SSL configuration, I would want to load the Cryptography
>> configuration with it.  O is this what Universes will deliver to us.
>> Slightly confused.
>
> Universes supports dependencies afaik.

Maybe this is now the solution, to add all packages to a Universe.  I  
wonder if Universes can be nested.

>
>> Here is my in-order list of packages for the Cryptography  
>> Configuration:
>>
>> Cryptography-Core
>> Cryptography-ARC2
>> Cryptography-RC4
>> Cryptography-MD4
>> Cryptography-MD5
>> Cryptography-SHA1
>> Cryptography-SHA256
>> Cryptography-DES
>> Cryptography-DSA
>> Cryptography-RSA
>> Cryptography-ElGamal
>> Cryptography-Rijndael
>> Cryptography-RandomAndPrime
>> Cryptography-ASN1
>> Cryptography-X509
>> Cryptography-PKCS12
>> Cryptography-Tests
>
> http://mc.lukas-renggli.ch/spielverderber/Cryptography-pmm.1.mcm
> (I don't have the commit right for the cryptography project on SqS)
I tried but I couldn't load it.  Where is the patch for Configurations?

thanks and cheers,
Rob

>
> Cheers
> Philippe
>
>> cheers,
>> Rob
>>
>> On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:
>>
>> > 2007/4/21, Robert Withers <[hidden email]>:
>> >> This is a request for comment on consolidating the Cryptography
>> >> library for a general release.  What I mean by that is  
>> consolidating
>> >> to a single Monticello package, that would allow users to one-
>> click
>> >> load the basic library.  Currently there is an implicit load order
>> >> which most users don't know.  We still don't have Configuration
>> >> support so that isn't a solution right now.
>> >
>> > What's the problem there? If you can load it with Monticello it  
>> should
>> > be no problem to have a Configuration Map for it. I could even  
>> build
>> > you one. Just tell me what you want in and in which order.
>> >
>> > Cheers
>> > Philippe
>> >
>> >> If this idea is supported, I suggest we look at all the  
>> packages and
>> >> decide which are "in", then generate the Cryptography package with
>> >> these packages loaded.
>> >>
>> >> Those packages that are not included, like Cryptography-SMIME for
>> >> instance, should really be renamed to not have the Cryptography-
>> >> prefix.  The old versions can be deleted to keep things clean.
>> >>
>> >> Those packages that are selected, and are determined to be  
>> complete,
>> >> could be deleted as independent packages and we would just rely on
>> >> them being in the consolidated package and develop there when
>> >> needed.  After this first step is completed, we could reassign the
>> >> classes to a more compact categorization.
>> >>
>> >> Below is a list of the packages.  Please vote and if your vote is
>> >> yes, what are your package recommendations as described below.
>> >>
>> >> Rob
>> >>
>> >> Packages:
>> >> Those with a '*' in front are my suggestions as to which is to be
>> >> included in Cryptography.  Those with a '!' in front are my
>> >> suggestions as to which should be renamed away from Cryptography-.
>> >> Those with a '+++' are candidates for deletion, since they have  
>> been
>> >> superseded.
>> >>
>> >> * Cryptography-ARC2
>> >> * Cryptography-ASN1
>> >> * Cryptography-Core
>> >> * Cryptography-DES
>> >> * Cryptography-DSA
>> >> * Cryptography-ElGamal
>> >> * Cryptography-MD4
>> >> * Cryptography-MD5
>> >> * Cryptography-PKCS12
>> >> * Cryptography-RC4
>> >> * Cryptography-RSA
>> >> * Cryptography-RandomAndPrime
>> >> * Cryptography-Rijndael
>> >> * Cryptography-SHA1
>> >> * Cryptography-SHA256
>> >> ! Cryptography-SMIME
>> >> ! Cryptography-SSL
>> >> * Cryptography-Tests
>> >> * Cryptography-X509
>> >> +++Fortuna  (this exists in RandomAndPrime)
>> >> ! Cryptography-MSCerts
>> >> +++Cryptography-TLS (this is superseded by SSL)
>> >> OpenPGP
>> >>
>> >> _______________________________________________
>> >> Cryptography mailing list
>> >> [hidden email]
>> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
>> >> cryptography
>> >>
>> > _______________________________________________
>> > Cryptography mailing list
>> > [hidden email]
>> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
>> > cryptography
>>
>>
>> _______________________________________________
>> Cryptography mailing list
>> [hidden email]
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
>> cryptography
>>
>>
>>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/ 
> cryptography

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: RFC: Consolidating the Cryptography library fora general release

Ron Teitelbaum
In reply to this post by Rob Withers
I agree that there is no need to have separate packages for cryptography.
Our original goal was to allow separate base algorithms to be loaded
individually but there have already been a number of problems with
dependencies, especially the need to load MD5 before other packages.  I
agree with your assessment, and baring no other objections from the team, I
would support consolidating base algorithms into Cryptography, and
applications into separate packages.

Ron

> -----Original Message-----
> From: Robert Withers [mailto:[hidden email]]
> Sent: Saturday, April 21, 2007 11:31 AM
> To: [hidden email]; Cryptography Team Development List
> Subject: Re: [Cryptography Team] RFC: Consolidating the Cryptography
> library fora general release
>
> Hi Ron,
>
>
> On Apr 20, 2007, at 7:53 PM, Ron Teitelbaum wrote:
>
> > Hi Rob,
> >
> > Very cool about the SMIME work I'm looking forward to working with it.
>
> I have one last bug to fix for signatures.
>
> > There is some working and useful code in MSCerts and I need to
> > review TLS
> > for any dependencies.  Also the work that I started which
> > integrates SSL
> > with Kom is there, I think in the tls package, so as long as we
> > don't delete
> > them I'm ok with renaming them.  Were you planning on moving SSL
> > and SMIME
> > into another repository or just renaming them within the Cryptography
> > repository?
>
> I was just going to re-categorize them and republish them as SSL and
> SMIME, but leave them in this repository.  I have already done this
> locally for SMIME, but I am waiting for the go ahead on the
> consolidation.
>
> > We originally separated them out so that someone could select which
> > components they needed.
>
> I thought it was done to assist with concurrent development, but most
> of it is stable now.
>
> > I agree with you that this introduced some load
> > dependencies.  Also the size of the classes themselves is not large
> > enough
> > to really warrant their own packages.  We probably introduced more
> > problems
> > and confusion then we solved.  So I agree with your suggestion and
> > would
> > support having one cryptography package with all the component
> > algorithms,
> > and then separate packages for applications.  I should also move my
> > KeyHolder and my PasswordSaltAndStretch somewhere.  I'm not sure
> > they are
> > components but they are not really applications either.  Suggestions?
>
> I think something in RC2 or something uses KeyHolder, et al.   Let's
> leave them in.
>
> So you agree with my package allocation?
>
> Rob
>
> >
> > Ron
> >
> >> -----Original Message-----
> >> From: Robert Withers
> >>
> >> This is a request for comment on consolidating the Cryptography
> >> library for a general release.  What I mean by that is consolidating
> >> to a single Monticello package, that would allow users to one-click
> >> load the basic library.  Currently there is an implicit load order
> >> which most users don't know.  We still don't have Configuration
> >> support so that isn't a solution right now.
> >>
> >> If this idea is supported, I suggest we look at all the packages and
> >> decide which are "in", then generate the Cryptography package with
> >> these packages loaded.
> >>
> >> Those packages that are not included, like Cryptography-SMIME for
> >> instance, should really be renamed to not have the Cryptography-
> >> prefix.  The old versions can be deleted to keep things clean.
> >>
> >> Those packages that are selected, and are determined to be complete,
> >> could be deleted as independent packages and we would just rely on
> >> them being in the consolidated package and develop there when
> >> needed.  After this first step is completed, we could reassign the
> >> classes to a more compact categorization.
> >>
> >> Below is a list of the packages.  Please vote and if your vote is
> >> yes, what are your package recommendations as described below.
> >>
> >> Rob
> >>
> >> Packages:
> >> Those with a '*' in front are my suggestions as to which is to be
> >> included in Cryptography.  Those with a '!' in front are my
> >> suggestions as to which should be renamed away from Cryptography-.
> >> Those with a '+++' are candidates for deletion, since they have been
> >> superseded.
> >>
> >> * Cryptography-ARC2
> >> * Cryptography-ASN1
> >> * Cryptography-Core
> >> * Cryptography-DES
> >> * Cryptography-DSA
> >> * Cryptography-ElGamal
> >> * Cryptography-MD4
> >> * Cryptography-MD5
> >> * Cryptography-PKCS12
> >> * Cryptography-RC4
> >> * Cryptography-RSA
> >> * Cryptography-RandomAndPrime
> >> * Cryptography-Rijndael
> >> * Cryptography-SHA1
> >> * Cryptography-SHA256
> >> ! Cryptography-SMIME
> >> ! Cryptography-SSL
> >> * Cryptography-Tests
> >> * Cryptography-X509
> >> +++Fortuna  (this exists in RandomAndPrime)
> >> ! Cryptography-MSCerts
> >> +++Cryptography-TLS (this is superseded by SSL)
> >> OpenPGP
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Philippe Marschall
In reply to this post by Rob Withers
2007/4/21, Robert Withers <[hidden email]>:

>
> On Apr 21, 2007, at 10:26 AM, Philippe Marschall wrote:
>
> > 2007/4/21, Robert Withers <[hidden email]>:
> >> Hi Philippe,
> >>
> >> I hadn't realized that Configurations had been fixed in 3.9.  They
> >> were broken badly in 3.8.
> >
> > They don't work out of the box in 3.9, you're right about that. I
> > don't know what the situation on 3.8.1 is.
>
> I'm sorry but I don't think it is suitable to deploy Cryptography
> using a mechanism that does not work out of the box.  It has been two
> cycles (3.8 and 3.9) where this problem has existed without being
> repaired.  We are trying to arrive at a solution to allow users to
> load Cryptography out of the box, so they can start using
> applications that are built on top of Cryptography, like SMIME and
> SSL.  I think consolidating the library makes perfect sense, and if
> someone needs a slimmed down version we can create one for them.  I'm
> sorry if a little frustration is coming through, but Monticello is a
> fantastic product that I use everyday, but we have tried to notify
> people of the problem with Configurations and nothing was done.  I
> would love to use it if it worked out of the box in 3.9.  Maybe a fix
> could be added to 3.10.

You don't need to tell me, I'm neither maintainer of Monticello (yes
Monticello has a maintainer) or Monticello Configurations neither am I
in the release team. I'm just submitting patches.

> >
> >> This would certainly be a solution to load
> >> the various Crypto packages, and it would have the advantage of
> >> allowing people to load a smaller subset for constrained devices.
> >> I'll take you up on you offer to build a Configuration file for us.
> >> Is it possible to nest one configuration inside of another?
> >
> > No.
>
> Bummer.
>
> >
> >> If I
> >> build a SSL configuration, I would want to load the Cryptography
> >> configuration with it.  O is this what Universes will deliver to us.
> >> Slightly confused.
> >
> > Universes supports dependencies afaik.
>
> Maybe this is now the solution, to add all packages to a Universe.  I
> wonder if Universes can be nested.

I don't know enough about Universes.

> >
> >> Here is my in-order list of packages for the Cryptography
> >> Configuration:
> >>
> >> Cryptography-Core
> >> Cryptography-ARC2
> >> Cryptography-RC4
> >> Cryptography-MD4
> >> Cryptography-MD5
> >> Cryptography-SHA1
> >> Cryptography-SHA256
> >> Cryptography-DES
> >> Cryptography-DSA
> >> Cryptography-RSA
> >> Cryptography-ElGamal
> >> Cryptography-Rijndael
> >> Cryptography-RandomAndPrime
> >> Cryptography-ASN1
> >> Cryptography-X509
> >> Cryptography-PKCS12
> >> Cryptography-Tests
> >
> > http://mc.lukas-renggli.ch/spielverderber/Cryptography-pmm.1.mcm
> > (I don't have the commit right for the cryptography project on SqS)
>
> I tried but I couldn't load it.  Where is the patch for Configurations?

The main problem is actually not Configurations but Monticello. There
are about three (maybe now four versions from which you can pick:

http://bugs.squeak.org/view.php?id=5217
http://bugs.squeak.org/view.php?id=4991
http://www.squeaksource.com/Trike.html

For 3.8 you might want to the one from the Impara repository:
http://source.impara.de/mc

Cheers
Philippe

> thanks and cheers,
> Rob
>
> >
> > Cheers
> > Philippe
> >
> >> cheers,
> >> Rob
> >>
> >> On Apr 21, 2007, at 8:55 AM, Philippe Marschall wrote:
> >>
> >> > 2007/4/21, Robert Withers <[hidden email]>:
> >> >> This is a request for comment on consolidating the Cryptography
> >> >> library for a general release.  What I mean by that is
> >> consolidating
> >> >> to a single Monticello package, that would allow users to one-
> >> click
> >> >> load the basic library.  Currently there is an implicit load order
> >> >> which most users don't know.  We still don't have Configuration
> >> >> support so that isn't a solution right now.
> >> >
> >> > What's the problem there? If you can load it with Monticello it
> >> should
> >> > be no problem to have a Configuration Map for it. I could even
> >> build
> >> > you one. Just tell me what you want in and in which order.
> >> >
> >> > Cheers
> >> > Philippe
> >> >
> >> >> If this idea is supported, I suggest we look at all the
> >> packages and
> >> >> decide which are "in", then generate the Cryptography package with
> >> >> these packages loaded.
> >> >>
> >> >> Those packages that are not included, like Cryptography-SMIME for
> >> >> instance, should really be renamed to not have the Cryptography-
> >> >> prefix.  The old versions can be deleted to keep things clean.
> >> >>
> >> >> Those packages that are selected, and are determined to be
> >> complete,
> >> >> could be deleted as independent packages and we would just rely on
> >> >> them being in the consolidated package and develop there when
> >> >> needed.  After this first step is completed, we could reassign the
> >> >> classes to a more compact categorization.
> >> >>
> >> >> Below is a list of the packages.  Please vote and if your vote is
> >> >> yes, what are your package recommendations as described below.
> >> >>
> >> >> Rob
> >> >>
> >> >> Packages:
> >> >> Those with a '*' in front are my suggestions as to which is to be
> >> >> included in Cryptography.  Those with a '!' in front are my
> >> >> suggestions as to which should be renamed away from Cryptography-.
> >> >> Those with a '+++' are candidates for deletion, since they have
> >> been
> >> >> superseded.
> >> >>
> >> >> * Cryptography-ARC2
> >> >> * Cryptography-ASN1
> >> >> * Cryptography-Core
> >> >> * Cryptography-DES
> >> >> * Cryptography-DSA
> >> >> * Cryptography-ElGamal
> >> >> * Cryptography-MD4
> >> >> * Cryptography-MD5
> >> >> * Cryptography-PKCS12
> >> >> * Cryptography-RC4
> >> >> * Cryptography-RSA
> >> >> * Cryptography-RandomAndPrime
> >> >> * Cryptography-Rijndael
> >> >> * Cryptography-SHA1
> >> >> * Cryptography-SHA256
> >> >> ! Cryptography-SMIME
> >> >> ! Cryptography-SSL
> >> >> * Cryptography-Tests
> >> >> * Cryptography-X509
> >> >> +++Fortuna  (this exists in RandomAndPrime)
> >> >> ! Cryptography-MSCerts
> >> >> +++Cryptography-TLS (this is superseded by SSL)
> >> >> OpenPGP
> >> >>
> >> >> _______________________________________________
> >> >> Cryptography mailing list
> >> >> [hidden email]
> >> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> >> cryptography
> >> >>
> >> > _______________________________________________
> >> > Cryptography mailing list
> >> > [hidden email]
> >> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> > cryptography
> >>
> >>
> >> _______________________________________________
> >> Cryptography mailing list
> >> [hidden email]
> >> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> >> cryptography
> >>
> >>
> >>
> > _______________________________________________
> > Cryptography mailing list
> > [hidden email]
> > http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> > cryptography
>
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
>
>
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: RFC: Consolidating the Cryptography library for a general release

Chris Muller-3
In reply to this post by Rob Withers
Hi Rob, thanks for proposing this.  I have long been a proponent of
consolidating them but the idea was always met with resistance.  I
don't know what changed our minds, but I'm happy about it.

I guess I must be the least-concerned in the entire Squeak community
about having a little extra code in my images.  Most of the crypto
packages are just a few bytes so I never understood what the big deal
is.  Also, if someone was really bothered by it, they could always
easily strip whatever individual classes and methods they wanted.

I pretty much agree with your entire list of ones to include/exclude.

Thanks.
  Chris


On 4/20/07, Robert Withers <[hidden email]> wrote:

> This is a request for comment on consolidating the Cryptography
> library for a general release.  What I mean by that is consolidating
> to a single Monticello package, that would allow users to one-click
> load the basic library.  Currently there is an implicit load order
> which most users don't know.  We still don't have Configuration
> support so that isn't a solution right now.
>
> If this idea is supported, I suggest we look at all the packages and
> decide which are "in", then generate the Cryptography package with
> these packages loaded.
>
> Those packages that are not included, like Cryptography-SMIME for
> instance, should really be renamed to not have the Cryptography-
> prefix.  The old versions can be deleted to keep things clean.
>
> Those packages that are selected, and are determined to be complete,
> could be deleted as independent packages and we would just rely on
> them being in the consolidated package and develop there when
> needed.  After this first step is completed, we could reassign the
> classes to a more compact categorization.
>
> Below is a list of the packages.  Please vote and if your vote is
> yes, what are your package recommendations as described below.
>
> Rob
>
> Packages:
> Those with a '*' in front are my suggestions as to which is to be
> included in Cryptography.  Those with a '!' in front are my
> suggestions as to which should be renamed away from Cryptography-.
> Those with a '+++' are candidates for deletion, since they have been
> superseded.
>
> * Cryptography-ARC2
> * Cryptography-ASN1
> * Cryptography-Core
> * Cryptography-DES
> * Cryptography-DSA
> * Cryptography-ElGamal
> * Cryptography-MD4
> * Cryptography-MD5
> * Cryptography-PKCS12
> * Cryptography-RC4
> * Cryptography-RSA
> * Cryptography-RandomAndPrime
> * Cryptography-Rijndael
> * Cryptography-SHA1
> * Cryptography-SHA256
> ! Cryptography-SMIME
> ! Cryptography-SSL
> * Cryptography-Tests
> * Cryptography-X509
> +++Fortuna  (this exists in RandomAndPrime)
> ! Cryptography-MSCerts
> +++Cryptography-TLS (this is superseded by SSL)
> OpenPGP
>
> _______________________________________________
> Cryptography mailing list
> [hidden email]
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
>
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography