On 12/26/2014 04:36 PM, stephen Turner wrote: > including list. > > On Fri, Dec 26, 2014 at 5:35 PM, stephen Turner > <[email protected] <mailto:[email protected]>> wrote: > > speaking of which (and going back to "simple is complex"), i have an > openssl- (or boringssl-)based md5sum/sha1sum implementation that > adds > all the other shas too. (a toybox built with all these is actually a > couple of hundred bytes larger than the one with just > md5/sha1sum, but > that's because of the duplicated help strings.) > > i know one of your goals is to minimize dependencies, but for us the > goal of minimizing duplication (and thus amount of code to audit) is > probably stronger. i suspect no one really cares that the toybox > hashes are slower than the openssl ones, but the security folks > probably will care about having another TLS implementation. (and > things like reimplementing zlib and bunzip2 probably fall > somewhere in > between.) > > > in regards to openssl, tls, and the like, would these be reusable > implementations for webkit and other web browser backends?
No. And I'm really leaning towards not doing it if I can avoid it. I just need the functionality, and don't want to link against external libraries adding unbounded complexity to the project. What I'd like is a command I can run and pipe an http:// session through to turn it into an https:// session, and have _that_ thing worry about what that means. Unfortunately, the stunnel project appears to be crap (haven't looked at it in a while, but at the time it wasn't something I wanted to get on me), and I haven't found a decent small clone of it. (Tried to talk dropbear into adding one and they didn't want to expand their scope. Can't blame 'em.) The actual _math_ of doing the encryption doesn't seem so bad, especially since "bc" requires a bignum library (thank you posix) and Peter "let's complicate everything" Anvin swapped out my patch to remove perl from the kernel build with a version that calls "bc" instead. (Which busybox doesn't implement.) Unfortunately, A) this is encryption code so the full cryptographic paranoia kicks in, and I really dowanna go there, B) the constellation of certificates needed to verify site identity is just horrific and I DO NOT WANT TO GO THERE. This is why "looking at" has not translated into "I'm writing", and it is NOT in scope for the 1.0 release. (Which means "wget" is bordering on useless at the moment, but eh...) > If other > programs will be able to use then i would say to implement it to its > fullest needed to support the majority of applications. otherwise if > its only for internal support the bare minimum needed would be fine. I'm only interested in the bare minimum. Unfortunately, the bare minimum is enormous. (Certificates!) (I did about half the work once to make landley.net work with https and hit the "I don't have root access on the server, how do I tell my ISP where to install a certificate" and it went on the todo list. You know about the todo list...) > yeah, i was hoping to abdicate responsibility for subsetting and was > disappointed to find that 'default' didn't mean "you probably want > this". but it makes sense, and the subset that one project needs > isn't > necessarily going to be the same as any other project. > > If were referring to defconfig i would hope it would include all > intended to be included toybox apps that are currently stable or at > least have an option that behaves in the same way. Defconfig is the maximum sane configuration. It's all the stuff that works without requiring strange build-time prerequisites like selinux. Some things in the toybox sub-menu (debug options, the unnecessary memory freeing to make valgrind and such happy. etc), the "examples" directory, and the "pending" directory default n. Stuff doesn't get promoted out of pending until it can default y. Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
