<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 25 Jul 2022 at 23:38, Brad ReDacted <<a href="mailto:brad.redacted@outlook.com">brad.redacted@outlook.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
I hate adding dependencies, but security is best left to security <br>
experts and I strongly advocate against duplicating security related code.<br></blockquote><div><br></div><div>If this security feature is really needed, then the best practices seem to indicate a specialized library is needed, for example the Open Source Security Foundation (OpenSSF) Best Practices state:</div><div><br></div><div>"If the software produced by the project is an application or library,
and its primary purpose is not to implement cryptography, then it SHOULD
only call on software specifically designed to implement cryptographic
functions; it SHOULD NOT re-implement its own." ("The term SHOULD indicates a criterion that is normally required, but there may exist valid reasons in particular circumstances to ignore it. However, the full implications must be understood and carefully weighed before choosing a different course.")<br></div><div><br></div><div>FLOSS Best Practices Criteria (Passing Badge) <a href="https://bestpractices.coreinfrastructure.org/en/criteria/0">https://bestpractices.coreinfrastructure.org/en/criteria/0</a></div><div><br></div><div>Criteria Discussion <a href="https://bestpractices.coreinfrastructure.org/en/criteria_discussion">https://bestpractices.coreinfrastructure.org/en/criteria_discussion</a></div><div><br></div></div></div>