[GRASS-dev] password security
Brad ReDacted
brad.redacted at outlook.com
Mon Jul 25 21:40:37 PDT 2022
On 7/25/2022 9:33 PM, Vaclav Petras wrote:
>
>
> On Mon, 25 Jul 2022 at 23:38, Brad ReDacted
> <brad.redacted at outlook.com> wrote:
>
>
> I hate adding dependencies, but security is best left to security
> experts and I strongly advocate against duplicating security
> related code.
>
>
> If this security feature is really needed, then the best practices
> seem to indicate a specialized library is needed, for example the Open
> Source Security Foundation (OpenSSF) Best Practices state:
>
> "If the software produced by the project is an application or library,
> and its primary purpose is not to implement cryptography, then it
> SHOULD only call on software specifically designed to implement
> cryptographic functions; it SHOULD NOT re-implement its own." ("The
> term SHOULD indicates a criterion that is normally required, but there
> may exist valid reasons in particular circumstances to ignore it.
> However, the full implications must be understood and carefully
> weighed before choosing a different course.")
>
> FLOSS Best Practices Criteria (Passing Badge)
> https://bestpractices.coreinfrastructure.org/en/criteria/0
>
> Criteria Discussion
> https://bestpractices.coreinfrastructure.org/en/criteria_discussion
This is why I recommended linking OpenSSL, as it is well vetted.
--
Best Regards,
-Brad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/grass-dev/attachments/20220725/2d831762/attachment.htm>
More information about the grass-dev
mailing list