On Fri, May 25, 2018 at 12:07:06PM +0200, Tomas Mraz wrote:
>
> Because having millions of copies of SHA1, MD5, and SHA2 and .... in
> millions of applications is the best thing.
>
> Now that's something I would call laziness - just copy the code and do
> not care about doing the proper decision which crypto library to use.
These algorithms are static and have test vectors. If you don't need
hardware acceleration for your use case, and portability and reducing
external dependencies are a priority, it's a very realistic
engineering tradeoff.
libext2fs has been ABI backwards compatible for 19 years (since the
move from a.out to ELF shared libraries). OpenSSL can't keep ABI
compatibility from one relase to another. You can't build ABI
compatibility on top of shifting sands, so that's a really good reason
for a library not to depend on OpenSSL (if you care about backwards
compatibility, anyway).
Also consider that sha512.o is only 4735 bytes. libxml2 has a size of
1.75 megabytes, so having my own version of sha512 is equivalent to
0.26% of libxml2.
Using my own copy of sha512? 2.5 milli-libxml2's. Shared library ABI
backwards compatibility? Priceless.
(And I won't even get into the bloat-o-rama which is GNOME2....)
- Ted
