Re: [dev] securiy guidance

From: <>
Date: Tue, 06 Mar 2018 03:45:10 -0800

Hi Thomas,

On 2018-03-06 00:57, Thomas Levine wrote:
> If you copy (vendor) an encryption/decryption algorithm into your source
> code, then you are relying on more than libc. So perhaps you could
> expand your dependencies to libraries with acceptable licensing or
> to libraries that are widely available. For example, OpenBSD 6.2
> provides blowfish. Also, GnuPG libgcrypt is far more involved than you
> require, but it is still appropriately licensed.

Licensing is not a problem, I know there are appropriately licensed
crypto libraries out there. My problem is simple - I never worked with
crypto before and there's too many choices. It's like your wife sending
you to the store to buy her new shoes - who would have any idea which
one to pick? There's just too many choices for someone who doesn't have
the foggiest idea what's going on.

E.g. you mention libgcrypt, looking at the index page there's about 57
algorithms. As a start, which type of algo do I need? Blowfish is in the
symmetric cypher family, there's 11 there with 20 modes (w/e mode

As a personal preference I would rather use a bsd or mit licensed
project though.

> I can't help myself from adding to the distracting tangents.
> pw by Dashamir Hoxha has some of the features of present discussion.
> It is derived from password-store.
> It stores passwords in an encrypted tarball instead of inside the normal
> filesystem. Like pass-tomb, this has the effect that file hierarchy
> doesn't show up in the filesystem.

The use case I'm heading for is more similar to pass, I don't mind if
the hierarchy is visible (to those who have permissions anyway).

Thank you for your input!

  Peter Nagy
Received on Tue Mar 06 2018 - 12:45:10 CET

This archive was generated by hypermail 2.3.0 : Tue Mar 06 2018 - 12:48:25 CET