[liberationtech] Request for comments: Peewee integration with pysqlcipher
Uncle Zzzen
unclezzzen at gmail.com
Sat Apr 19 08:50:39 PDT 2014
Regardless of this specific code, it has led to a
discussion<https://github.com/coleifer/peewee/pull/343#discussion-diff-11793673R3>regarding
the *"Warnning!!!
Experimental!!!"* comments in crypto libraries and whether code with such
warning should be pull-requested into live projects [as optional
extensions, of course].
I'd like to hear your opinions on this, because now that we know
more<https://www.youtube.com/watch?v=fwcl17Q0bpk>,
I think such issues are important to the developer community.
On 19 April 2014 10:31, Uncle Zzzen <unclezzzen at gmail.com> wrote:
> https://github.com/swizzler/peewee/ is our fork of peewee<http://peewee.readthedocs.org/>(a tiny python orm) that provides
> pysqlcipher <https://github.com/leapcode/pysqlcipher/> integration.
> There's also a gist <https://gist.github.com/thedod/11048875> with a
> minimal example if you want to play with this without starting from scratch.
>
> First, I'm happy to annouce this (as long as you understand that *this
> has not been peer reviewed yet*).
>
> This brings us to the question whether I've introduced new vulnerabilities
> (I don't think so, but people never do [?]).
>
> Also, there's an "educational" question:
> This is a library, so the target audience is a developer who "should know
> better" (but maybe doesn't). I've introduced "reasonable minimums<https://github.com/swizzler/peewee/blob/sqlcipher/playhouse/sqlcipher_ext.py#L31>"
> for passphrase length and kdf_iter. If the developer tries to use
> "unreasonable values", the error message says something like "you need more
> than that", because the numbers are quite low (8 and 10000).
>
> So the questions are:
>
> 1. What are the "right numbers"?
> 2. Is 64000 a "reasonable default<https://github.com/swizzler/peewee/blob/sqlcipher/playhouse/sqlcipher_ext.py#L30>"
> for kdf_iter?
> 3. Anything wrong or misleading in my docs/comments?
> 4. Any urls I could send developers who wish to learn more?
> 5. [and - of course] Any vulnerabilities you cana think off?
>
> Thanks,
>
> The Dod <http://thedod.github.io> / the Swizzler<https://github.com/swizzler/swizzler#readme>project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140419/f624d2f0/attachment.html>
More information about the liberationtech
mailing list