Since packages are installed over an encrypted connection Julia must ship with some kind of crypto.
On Friday, March 18, 2016 at 11:39:11 AM UTC+2, Páll Haraldsson wrote: > > > On Thursday, March 17, 2016 at 8:27:33 PM UTC, Naiyuan Chiang wrote: >> >> >> Hi, >> >> I am working in United Technologies Research Center (UTRC), and currently >> I am interested in using Julia for my researches. >> According to the IT support of UTRC, I wonder if the distribution of >> Julia comes with certain packages, e.g. Crypto, by default. >> My understanding is no, but an official reply can help us to accurately >> identify the ECCN regulations for Julia. >> >> My IT support's original words are "Julia appears to be open source, but >> does have at least one package that uses SSL (Crypto, see >> *http://pkg.julialang.org/* <http://pkg.julialang.org/>). So without the >> packages, the language would likely be 5D992, but is open source, so should >> be not subject to the regulations. If the language comes with the Crypto >> package by default, then the distribution would be considered 5D002 and we >> would need to ask about license exception TSU to treat it otherwise." >> > > While not an "official" reply* I'm fairly sure there is not crypto, and > see no good reason there should be, and can't find it in Julia. > > There is no reason for Julia to have crypto, since it is a language, and > as you say Crypto can be and is a package you can use. Others include > MbedTLS <http://github.com/JuliaWeb/MbedTLS.jl>, GnuTLS > <http://github.com/JuliaWeb/GnuTLS.jl>. I would even think it is > inappropriate [for any language] to include as you gave a reason.. There > would only be downsides and no upside as you can always just use a library. > > The trend has been to reduce (and add to..) the standard library, but > taking some features out of it and putting into several packages. See also > Julia-lite branch that tries to finish that policy. > > * I've been following Julia for a long time (at least since 2014), but I'm > not a major contributor/anywhere close to one of the key people. I have > made some minor contributions, even to crypto related package.. I think I > would know if I'm wrong. Please if anyone "official" or major developer can > confirm, at least the way I'm testing this (and rerun), please do. > > > Just to be sure I checked as thoroughly as I can think of: > > > I searched for "crypt", "SSL" and "TLS" (and some more strings) in the > Julia standard library in this way (and came up empty really): > > find /usr/share/julia/base/ |xargs grep SSL |less > > One "match": > > /usr/share/julia/base/docs/helpdb.jl:cryptographic applications (Knuth, > Seminumerical Algorithms). > > > https://en.wikipedia.org/wiki/Primality_test [ing] > > is just basic math, what is going on there, while useful for crypto, also > for other things, and is a false alarm: > > > isprime(::Integer) > > doc""" > isprime(x::BigInt, [reps = 25]) -> Bool > > Probabilistic primality test. Returns `true` if `x` is prime; and > `false` if `x` is not prime with high probability. The false positive > rate is about `0.25^reps`. `reps = 25` is considered safe for > cryptographic applications (Knuth, Seminumerical Algorithms). > > > Just in case, I also looked out for where isprime is used: > > /usr/share/julia/base/gmp.jl: ndigits, promote_rule, rem, > show, isqrt, string, isprime, powermod, > /usr/share/julia/base/gmp.jl:isprime(x::BigInt, reps=25) = > ccall((:__gmpz_probab_prime_p,:libgmp), Cint, (Ptr{BigInt}, Cint), &x, > reps) > 0 > > > False alarm (Task related file): > > /usr/share/julia/base/task.jl:## basic task functions and TLS > > > Julia doesn't come with packages by default (except for separate JuliaBox > project, and I doubt crypto is bundled there,.). It does have a math > related library. The closest I can think of there is the > non-crypto-appropriate MersenneTwister PRNG. > > const GLOBAL_RNG = MersenneTwister() > > RandomDevice(unlimited::Bool=true) = new(open(unlimited ? "/dev/urandom" : > "/dev/random")) > > > As you can see, there is also support for real random numbers, that the > operating system gives you, but random numbers are not crypto; just a tiny > building block used by e.g. crypto. There is even allegation, that the NSA > made that such RNB biased/less secure.. so do not worry :) > > > > $ grep "TLS" /usr/include/julia/* > /usr/include/julia/options.h:// #define CODEGEN_TLS > /usr/include/julia/options.h:# define CODEGEN_TLS > /usr/include/julia/uv.h: * That is, it may not be possible to create many > TLS keys. > > False alarms ("TLS" there equals "Thread-local storage"): > > // (Experimental) codegen support for thread-local storage > // #define CODEGEN_TLS > > /* Thread-local storage. These functions largely follow the semantics of > * pthread_key_create(), pthread_key_delete(), pthread_getspecific() and > * pthread_setspecific(). > * > * Note that the total thread-local storage size may be limited. > * That is, it may not be possible to create many TLS keys. > */ > UV_EXTERN int uv_key_create(uv_key_t* key); > UV_EXTERN void uv_key_delete(uv_key_t* key); > UV_EXTERN void* uv_key_get(uv_key_t* key); > UV_EXTERN void uv_key_set(uv_key_t* key, void* value); > > > Even grepping the binary I came up empty: > > $ strings /usr/bin/julia |grep crypt > $ strings /usr/bin/julia |grep SSL > $ strings /usr/bin/julia |grep TLS > > I didn't grep the source code of Julia/the runtime. Shouldn't have to. > Even if it had crypto, you would have to be able to use it from an API in > the pure Julia standard library. I assume dependant projects, e.g. LLVM are > ok, even if not, that caveat should apply to those too. > > Thanks, > > Nai-Yuan > > -- > Palli. >
