On Friday, March 18, 2016 at 10:11:38 AM UTC, Johan Sigfrids wrote:
>
> Since packages are installed over an encrypted connection Julia must ship
> with some kind of crypto.
>
That is strictly not true.
A. First *A* counterexample:
download("https:// .... ") does work on my Linux machine.
help?> download
search: download
download(url,[localfile])
Download a file from the given url, optionally renaming it to the given
local file name. Note that this function relies on the availability of
external tools such as curl, wget or fetch to download the
file and is provided for convenience. For production use or situations in
which more options are needed, please use a package that provides the
desired functionality instead.
I did check the source code, my Linux Julia does what the documentation
says (this is also known as the system library" exception for GPL, that
would otherwise disallow using OpenSSL), it uses *pre-installed* program
what handles the crypto. On Windows I guess it uses some pre-installed
Windows API:
@windows_only function download(url::AbstractString,
filename::AbstractString)
res = ccall((:URLDownloadToFileW,:urlmon),stdcall,Cuint,
(Ptr{Void},Cwstring,Cwstring,Cuint,Ptr{Void}),C_NULL,url,filename,0,C_NULL)
if res != 0
error("automatic download failed (error: $res): $url")
end
filename
end
B. Similarily, on Linux and I guess OS X, for packages, Julia uses git,
that I believe is pre-installed. On Windows, yes, git (or libgit[2]?) is
distributed with, as not commonly found on Windows. Git could include
crypto, and then if/when git is distributed with Julia, you would be right.
I didn't check git. But since Julia can exclude the crypto, I guess git can
also, and probably does. Hopefully somebody can confirm. The original guy
who is worried, can also check if this is known about git.
> On Friday, March 18, 2016 at 11:39:11 AM UTC+2, Páll Haraldsson wrote:
>>
>>
>> On Thursday, March 17, 2016 at 8:27:33 PM UTC, Naiyuan Chiang wrote:
>>>
>>>
>>> Hi,
>>>
>>> I am working in United Technologies Research Center (UTRC), and
>>> currently I am interested in using Julia for my researches.
>>> According to the IT support of UTRC, I wonder if the distribution of
>>> Julia comes with certain packages, e.g. Crypto, by default.
>>> My understanding is no, but an official reply can help us to accurately
>>> identify the ECCN regulations for Julia.
>>>
>>> My IT support's original words are "Julia appears to be open source,
>>> but does have at least one package that uses SSL (Crypto, see
>>> *http://pkg.julialang.org/* <http://pkg.julialang.org/>). So without
>>> the packages, the language would likely be 5D992, but is open source, so
>>> should be not subject to the regulations. If the language comes with the
>>> Crypto package by default, then the distribution would be considered 5D002
>>> and we would need to ask about license exception TSU to treat it otherwise."
>>>
>>
>> While not an "official" reply* I'm fairly sure there is not crypto, and
>> see no good reason there should be, and can't find it in Julia.
>>
>> There is no reason for Julia to have crypto, since it is a language, and
>> as you say Crypto can be and is a package you can use. Others include
>> MbedTLS <http://github.com/JuliaWeb/MbedTLS.jl>, GnuTLS
>> <http://github.com/JuliaWeb/GnuTLS.jl>. I would even think it is
>> inappropriate [for any language] to include as you gave a reason.. There
>> would only be downsides and no upside as you can always just use a library.
>>
>> The trend has been to reduce (and add to..) the standard library, but
>> taking some features out of it and putting into several packages. See also
>> Julia-lite branch that tries to finish that policy.
>>
>> * I've been following Julia for a long time (at least since 2014), but
>> I'm not a major contributor/anywhere close to one of the key people. I have
>> made some minor contributions, even to crypto related package.. I think I
>> would know if I'm wrong. Please if anyone "official" or major developer can
>> confirm, at least the way I'm testing this (and rerun), please do.
>>
>>
>> Just to be sure I checked as thoroughly as I can think of:
>>
>>
>> I searched for "crypt", "SSL" and "TLS" (and some more strings) in the
>> Julia standard library in this way (and came up empty really):
>>
>> find /usr/share/julia/base/ |xargs grep SSL |less
>>
>> One "match":
>>
>> /usr/share/julia/base/docs/helpdb.jl:cryptographic applications (Knuth,
>> Seminumerical Algorithms).
>>
>>
>> https://en.wikipedia.org/wiki/Primality_test [ing]
>>
>> is just basic math, what is going on there, while useful for crypto, also
>> for other things, and is a false alarm:
>>
>>
>> isprime(::Integer)
>>
>> doc"""
>> isprime(x::BigInt, [reps = 25]) -> Bool
>>
>> Probabilistic primality test. Returns `true` if `x` is prime; and
>> `false` if `x` is not prime with high probability. The false positive
>> rate is about `0.25^reps`. `reps = 25` is considered safe for
>> cryptographic applications (Knuth, Seminumerical Algorithms).
>>
>>
>> Just in case, I also looked out for where isprime is used:
>>
>> /usr/share/julia/base/gmp.jl: ndigits, promote_rule, rem,
>> show, isqrt, string, isprime, powermod,
>> /usr/share/julia/base/gmp.jl:isprime(x::BigInt, reps=25) =
>> ccall((:__gmpz_probab_prime_p,:libgmp), Cint, (Ptr{BigInt}, Cint), &x,
>> reps) > 0
>>
>>
>> False alarm (Task related file):
>>
>> /usr/share/julia/base/task.jl:## basic task functions and TLS
>>
>>
>> Julia doesn't come with packages by default (except for separate JuliaBox
>> project, and I doubt crypto is bundled there,.). It does have a math
>> related library. The closest I can think of there is the
>> non-crypto-appropriate MersenneTwister PRNG.
>>
>> const GLOBAL_RNG = MersenneTwister()
>>
>> RandomDevice(unlimited::Bool=true) = new(open(unlimited ? "/dev/urandom"
>> : "/dev/random"))
>>
>>
>> As you can see, there is also support for real random numbers, that the
>> operating system gives you, but random numbers are not crypto; just a tiny
>> building block used by e.g. crypto. There is even allegation, that the NSA
>> made that such RNB biased/less secure.. so do not worry :)
>>
>>
>>
>> $ grep "TLS" /usr/include/julia/*
>> /usr/include/julia/options.h:// #define CODEGEN_TLS
>> /usr/include/julia/options.h:# define CODEGEN_TLS
>> /usr/include/julia/uv.h: * That is, it may not be possible to create many
>> TLS keys.
>>
>> False alarms ("TLS" there equals "Thread-local storage"):
>>
>> // (Experimental) codegen support for thread-local storage
>> // #define CODEGEN_TLS
>>
>> /* Thread-local storage. These functions largely follow the semantics of
>> * pthread_key_create(), pthread_key_delete(), pthread_getspecific() and
>> * pthread_setspecific().
>> *
>> * Note that the total thread-local storage size may be limited.
>> * That is, it may not be possible to create many TLS keys.
>> */
>> UV_EXTERN int uv_key_create(uv_key_t* key);
>> UV_EXTERN void uv_key_delete(uv_key_t* key);
>> UV_EXTERN void* uv_key_get(uv_key_t* key);
>> UV_EXTERN void uv_key_set(uv_key_t* key, void* value);
>>
>>
>> Even grepping the binary I came up empty:
>>
>> $ strings /usr/bin/julia |grep crypt
>> $ strings /usr/bin/julia |grep SSL
>> $ strings /usr/bin/julia |grep TLS
>>
>> I didn't grep the source code of Julia/the runtime. Shouldn't have to.
>> Even if it had crypto, you would have to be able to use it from an API in
>> the pure Julia standard library. I assume dependant projects, e.g. LLVM are
>> ok, even if not, that caveat should apply to those too.
>>
>> Thanks,
>>
>> Nai-Yuan
>>
>> --
>> Palli.
>>
>
