[GRASS-dev] password security

Vaclav Petras wenzeslaus at gmail.com
Mon Jul 25 21:33:29 PDT 2022


On Mon, 25 Jul 2022 at 23:38, Brad ReDacted <brad.redacted at outlook.com>
wrote:

>
> I hate adding dependencies, but security is best left to security
> experts and I strongly advocate against duplicating security related code.
>

If this security feature is really needed, then the best practices seem to
indicate a specialized library is needed, for example the Open Source
Security Foundation (OpenSSF) Best Practices state:

"If the software produced by the project is an application or library, and
its primary purpose is not to implement cryptography, then it SHOULD only
call on software specifically designed to implement cryptographic
functions; it SHOULD NOT re-implement its own." ("The term SHOULD indicates
a criterion that is normally required, but there may exist valid reasons in
particular circumstances to ignore it. However, the full implications must
be understood and carefully weighed before choosing a different course.")

FLOSS Best Practices Criteria (Passing Badge)
https://bestpractices.coreinfrastructure.org/en/criteria/0

Criteria Discussion
https://bestpractices.coreinfrastructure.org/en/criteria_discussion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/grass-dev/attachments/20220726/dfa0cadc/attachment.htm>


More information about the grass-dev mailing list