<html><head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body>

    <div class="moz-cite-prefix">On 7/25/2022 9:33 PM, Vaclav Petras

      wrote:<br>

    </div>

    <blockquote type="cite" cite="mid:CABo5uVuwZrCzYzMjUv8SoCFByWRLwciQWv0PyKJTedAzgCK+RQ@mail.gmail.com">

      <div dir="ltr">

        <div dir="ltr"><br>

        </div>

        <br>

        <div class="gmail_quote">

          <div dir="ltr" class="gmail_attr">On Mon, 25 Jul 2022 at

            23:38, Brad ReDacted <<a href="mailto:brad.redacted@outlook.com" moz-do-not-send="true" class="moz-txt-link-freetext">brad.redacted@outlook.com</a>>

            wrote:<br>

          </div>

          <blockquote class="gmail_quote" style="margin:0px 0px 0px

            0.8ex;border-left:1px solid

            rgb(204,204,204);padding-left:1ex"><br>

            I hate adding dependencies, but security is best left to

            security <br>

            experts and I strongly advocate against duplicating security

            related code.<br>

          </blockquote>

          <div><br>

          </div>

          <div>If this security feature is really needed, then the best

            practices seem to indicate a specialized library is needed,

            for example the Open Source Security Foundation (OpenSSF)

            Best Practices state:</div>

          <div><br>

          </div>

          <div>"If the software produced by the project is an

            application or library, and its primary purpose is not to

            implement cryptography, then it SHOULD only call on software

            specifically designed to implement cryptographic functions;

            it SHOULD NOT re-implement its own." ("The term SHOULD

            indicates a criterion that is normally required, but there

            may exist valid reasons in particular circumstances to

            ignore it. However, the full implications must be understood

            and carefully weighed before choosing a different course.")<br>

          </div>

          <div><br>

          </div>

          <div>FLOSS Best Practices Criteria (Passing Badge) <a href="https://bestpractices.coreinfrastructure.org/en/criteria/0" moz-do-not-send="true" class="moz-txt-link-freetext">https://bestpractices.coreinfrastructure.org/en/criteria/0</a></div>

          <div><br>

          </div>

          <div>Criteria Discussion <a href="https://bestpractices.coreinfrastructure.org/en/criteria_discussion" moz-do-not-send="true" class="moz-txt-link-freetext">https://bestpractices.coreinfrastructure.org/en/criteria_discussion</a></div>

        </div>

      </div>

    </blockquote>

    <p>This is why I recommended linking OpenSSL, as it is well vetted.</p>

    <pre class="moz-signature" cols="72">-- 

Best Regards,

-Brad</pre>

  </body>

</html>