potential to include cryptography in base image

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

potential to include cryptography in base image

Robert Withers
It was suggested to me that I write to the list and raise the question about cryptography being included in the base image. Really I have 3 questions I would ask you all:

  1. is it desirable to include cryptography?
  2. is it feasible to include cryptography?
  3. what is the time frame for including cryptography?
Given the thread on password hashing (and salting and so on), there are good, solid implementations in the cryptography package. Looking in the Cryptography repository, there is a Pharo 5.0 compatible Cryptography package.

In light of another recent thread discussing random number generation, discussion about the best approach to random algorithms in cryptography ought be engaged. For instance, the SecureRandom algorithm evidently provides some level of guarantee.

To underline the solidity I am attaching a profile of all 102 cryptography tests passing green. This profile demonstrates that there are no areas of particular inefficiency - nothing stands out to be improved - means that the entire library is maximally efficient.

And so I please ask that we have these discussions, for there is a lot of value in this package for general and basic use.


--
. .. ... ^,^ best, robert



Cryptography Spy Results.text.gz (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

Robert Withers
Thank you, Sven, giving me the opportunity to scope the right mailing
lists into the discussion.

I love that Pharo is oriented towards business. My particular excitement
is to see all the scientific computing. These recent threads on
expanding capacity and targeting marketing are good. I think
Cryptography in the base, including SecureSession, adds to that effort.

The Cryptography package, both for squeak and the Cryptography-Pharo
package, and in the Cryptography repository
(http://www.squeaksource.com/Cryptography. Through the Monticello
Browser this is a loadable item. The loading of SecureSession, which is
loadable by both squeak and pharo, ois a separate load. I appreciate
that pharo has established a different mechanism for loading.

At this time, I am deep into fixing ReedSolomon FEC code, so I must be
conservative (which I am) and defer learning and including Cryptography
in that mechanism. I must be careful what promises I make and I cannot
make a commitment here.  If you are interested in seeing this in pharo's
catalog, then the Cryptography team welcomes new members, especially
from new environments. Welcome. We appreciate all the work that you do!

Again, I appreciate the opportunity to engage the community in
discussion around the definition and example of a minimal modular image
that includes Cryptography & SecureSession in the base.


NB: I think that business computing and scientific computing does not
equal mobile devices, necessarily. I have long made the case, with
varying degrees of effectiveness, that squeak belongs on the server. A
SecureSession & Cryptography capability in the base, minimal, headless
image is desired: the first question in the OP.

Therefore, the correct target of growth is not mobile, it is BigData!


On 12/15/2015 05:20 AM, Sven Van Caekenberghe wrote:

> Robert,
>
> I think that the Pharo community, part of which is more business oriented, is absolutely interested in more and better Crypto code. In any case, I am.
>
> What we absolutely want, if it is not already the case (I did not check), is that the Crypto code can be loaded using 1 single action (through our validated Monticello configurations and Catalog mechanism) - I am sure you will find help to achieve and maintain (through a CI process) that goal.
>
> Whether it should be a base part of the image is another question. Modularity is a huge goal for Pharo. This is a much harder discussion (as the same can be said of or asked for for many packages that are generally useful: XML, CSV, JSON, SQL, ...). In any the case, the first step is the one described in the previous paragraph. Then you need traction, usage, and maybe demand for full inclusion.
>
> Regards,
>
> Sven
>
>> On 15 Dec 2015, at 11:00, Robert Withers <[hidden email]> wrote:
>>
>> It was suggested to me that I write to the list and raise the question about cryptography being included in the base image. Really I have 3 questions I would ask you all:
>>
>> • is it desirable to include cryptography?
>> • is it feasible to include cryptography?
>> • what is the time frame for including cryptography?
>> Given the thread on password hashing (and salting and so on), there are good, solid implementations in the cryptography package. Looking in the Cryptography repository, there is a Pharo 5.0 compatible Cryptography package.
>>
>> In light of another recent thread discussing random number generation, discussion about the best approach to random algorithms in cryptography ought be engaged. For instance, the SecureRandom algorithm evidently provides some level of guarantee.
>>
>> To underline the solidity I am attaching a profile of all 102 cryptography tests passing green. This profile demonstrates that there are no areas of particular inefficiency - nothing stands out to be improved - means that the entire library is maximally efficient.
>>
>> And so I please ask that we have these discussions, for there is a lot of value in this package for general and basic use.
>>
>>
>> --
>> . .. ... ^,^ best, robert
>> <Cryptography Spy Results.text.gz>

--
. .. .. ^,^ best, robert

Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

David T. Lewis
In reply to this post by Robert Withers
On Tue, Dec 15, 2015 at 05:00:12AM -0500, Robert Withers wrote:
> It was suggested to me that I write to the list and raise the question
> about cryptography being included in the base image. Really I have 3
> questions I would ask you all:
>
> 1. is it desirable to include cryptography?
> 2. is it feasible to include cryptography?
> 3. what is the time frame for including cryptography?

I'm not sure whether it is a good idea to include it in the base image,
versus maintain it in an external package that can be easily loaded
from SqueakMap. Either way, I think we should get it updated on
SqueakMap first so that more people can (and hopefully will) load
it in their images, run the tests, and get experience with it. FWIW,
I personally tend to favor maintaining packages externally in cases
where we have an interest in supporting the package on various
kinds of images, such as Squeak/Cuis/Pharo.

Robert, are you in a position to update the SqueakMap entries? Currently
they are "crypto", "Cryptography", and "Cryptography Team Package". They
are all out of date, and I'm not sure who owns which version. We should
pick one of them as the official one, and update it so that it loads the
latest version (Cryptography-rww.49) into a Squeak 4.6 or 5.0 image.

It is of course quite easy to load Cryptography directly from squeaksource,
but there are quite a few packages in that repository that may seem confusing
for someone loading Cryptography for the first time, so I think a one-click
download from SqueakMap would be helpful.

Dave


Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

Robert Withers


On 12/15/2015 10:02 PM, David T. Lewis wrote:

> On Tue, Dec 15, 2015 at 05:00:12AM -0500, Robert Withers wrote:
>> It was suggested to me that I write to the list and raise the question
>> about cryptography being included in the base image. Really I have 3
>> questions I would ask you all:
>>
>> 1. is it desirable to include cryptography?
>> 2. is it feasible to include cryptography?
>> 3. what is the time frame for including cryptography?
> I'm not sure whether it is a good idea to include it in the base image,
> versus maintain it in an external package that can be easily loaded
> from SqueakMap. Either way, I think we should get it updated on
> SqueakMap first so that more people can (and hopefully will) load
> it in their images, run the tests, and get experience with it. FWIW,
> I personally tend to favor maintaining packages externally in cases
> where we have an interest in supporting the package on various
> kinds of images, such as Squeak/Cuis/Pharo.
>
> Robert, are you in a position to update the SqueakMap entries? Currently
> they are "crypto", "Cryptography", and "Cryptography Team Package". They
> are all out of date, and I'm not sure who owns which version. We should
> pick one of them as the official one, and update it so that it loads the
> latest version (Cryptography-rww.49) into a Squeak 4.6 or 5.0 image.
>
> It is of course quite easy to load Cryptography directly from squeaksource,
> but there are quite a few packages in that repository that may seem confusing
> for someone loading Cryptography for the first time, so I think a one-click
> download from SqueakMap would be helpful.

Thank you for your view of these matters. I must apologize for being
forgetful about SqueakMap. I have no idea if I can login or not, it has
been years. I have requested a new passwd so shortly I will be in. Do we
want these artifacts on SqueakSource and SqueakMap?

There are a lot of other packages in Cryptography on SqueakSource. I
have cleaned up some of the packages I have in Mushroom. Some, like
Blowfish, may want to be folded into the core package. Plugins will want
to stay.

I suppose better documentation would help, some for Pharo and some for
Squeak.

I got frustrated in the course of this as I think others did, as well.
My apologies for simplifying a complex area and being to simplistic, at
times.

Regards,
Robert

> Dave
>
>

--
. .. .. ^,^ robert

Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

Chris Muller-3
Do we want these artifacts on SqueakSource and SqueakMap?

Yes, please.  Put the code on SqueakSouce and publish just the script for consuming it on SqueakMap.  The best practice is to have one script that a fixed version into a fixed Squeak (e.g., currently 5.0) so there is always a working reference one can go back to, and then one more for the latest code.

http://wiki.squeak.org/squeak/6182 has details and examples.



Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

Robert Withers
I created a new account, since my old one has the wrong email that I can't access  or change. Is there a way someone could update my email address to this one, please? Otherwise, I will need to get my new account added to the existing packages.

robert

On 12/18/2015 02:57 PM, Chris Muller wrote:
Do we want these artifacts on SqueakSource and SqueakMap?

Yes, please.  Put the code on SqueakSouce and publish just the script for consuming it on SqueakMap.  The best practice is to have one script that a fixed version into a fixed Squeak (e.g., currently 5.0) so there is always a working reference one can go back to, and then one more for the latest code.

http://wiki.squeak.org/squeak/6182 has details and examples.




    

--
. .. .. ^,^ robert


Reply | Threaded
Open this post in threaded view
|

Re: potential to include cryptography in base image

Chris Muller-3
Yes.  I've just set the #email: of your 'rww' account to your gmail address.

For sake of Catalog model cleanliness, if you wouldn't deleting your new account, it would be appreciated.

On Fri, Dec 18, 2015 at 2:05 PM, Robert Withers <[hidden email]> wrote:
I created a new account, since my old one has the wrong email that I can't access  or change. Is there a way someone could update my email address to this one, please? Otherwise, I will need to get my new account added to the existing packages.

robert


On 12/18/2015 02:57 PM, Chris Muller wrote:
Do we want these artifacts on SqueakSource and SqueakMap?

Yes, please.  Put the code on SqueakSouce and publish just the script for consuming it on SqueakMap.  The best practice is to have one script that a fixed version into a fixed Squeak (e.g., currently 5.0) so there is always a working reference one can go back to, and then one more for the latest code.

http://wiki.squeak.org/squeak/6182 has details and examples.




    

--
. .. .. ^,^ robert