Because of the recent discussion about warnings in CryptoPP I decided to post my thoughts on the subject. For several months I have felt uneasy using CryptoPP for several reasons, one of which is the number of warnings that appear. Although the warnings have been innocuous (unreferenced formal parameters, mostly) the strict programmer in me always feels that any warnings at all are indicative of sloppy programming or (worse) sloppy design. They can also indicate incomplete software; I often have code in intermediate stages of development where I purposely insert code that will cause warnings so as to remind me that the software is unfinished (unreferenced formal parameters are useful indicators of function stubs, for example). However, these warnings should obviously be eliminated before code is released.
Because CryptoPP is used for sensitive purposes I am increasingly convinced that the strict, conservative interpretation of warnings is vital. Cryptography is one of the few things we know how to do right (who am I quoting here?), so it doesn't make sense to accept software that isn't perfect. Additionally, from a confidence standpoint it doesn't help to have such crucial code spewing warnings to the developer; I am relying on this code to be secure. I cannot use code that is sloppy or unfinished. This brings me to my second concern about the library, which is its' extremely large size and opaqueness. While I normally appreciate comprehensive libraries, in the case of cryptography I have different concerns. My concern is to have a handful of primitive functions that I can access directly, which I can audit for reliability, and which are cleanly modularized. These requirements mean that what I want is a library that is NOT implemented using generic programming techniques. I am a big fan of generic programming in other endeavors (I use it every day) but one of its' big drawbacks is that it makes code harder to read. I simply don't have time to audit CryptoPP, and as a result I am VERY leary of using it. It is simply too complex for me to understand without devoting an unacceptably large amount of time to studying it (even two weeks would be too much). In fact, the number of warnings that appear when CryptoPP compiles indicates to me that even the people who are developing the library do not fully understand it. As a result of these concerns, I have been considering abandoning CryptoPP and either assembling a small, piecemeal library of just the primitives I need, or implementing my own library of primitives. The projects I am working on right now have extremely high security requirements, and I simply can't afford to have these kinds of doubts. I have raised these concerns because I appreciate the effort that has been put into CryptoPP, and I don't want to see that effort wasted because people lack faith in the code. As a real-world user of the library I currently feel that it is a bad choice; I will continue using it in the short term, but right now my plan is to migrate to something simpler and clearer within six months. Sincerely, Guy L. Smith Lead Developer [EMAIL PROTECTED]
