git

[Ruben De Smet]

Hi folks,

Git is becoming more and more the default version- and source code
management tool in the open source world. It's fast and awesome and many
(big) projects (including eg. flightgear) have switched from SVN or CVS
to git.

Do you guys have any interest in doing the conversion? I could probably
offer my help.

I came to this idea because I was thinking about implementing NTRU (more
on that topic in a different mail) in CryptoPP and it was quite
remarkable that CryptoPP didn't switch yet.

R

[jacob...@outlook.com]

I would support a move to git and Github as well, I think switching to Github would make it much easier to allow people to contribute code. I am new to the project but you would probably have to contact the project owner.

Github also has a nice issue tracker built in, though I'm not a big fan of their wiki system.

[Stephen Crane]

I second this.

--
--
You received this message because you are subscribed to the "Crypto++ Users" Google Group.
To unsubscribe, send an email to cryptopp-user...@googlegroups.com.
More information about Crypto++ and this group is available at http://www.cryptopp.com.
---
You received this message because you are subscribed to the Google Groups "Crypto++ Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cryptopp-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jeffrey Walton]

On Tuesday, February 11, 2014 3:56:19 PM UTC-5, ruben.de.smet wrote:

Hi folks,

Git is becoming more and more the default version- and source code
management tool in the open source world. It's fast and awesome and many
(big) projects (including eg. flightgear) have switched from SVN or CVS
to git.

Forgive my ignorance.... What does Git provide to Crypto++ that Subversion does not?

Unlike the kernel, there is one developer (wei Dai) and one set of sources (Wei Dai's copy). Because of the single root, it seems to me that Git is a complex solution to a simple problem.

Jeff

[Ruben De Smet]

As far as I can tell, the fact that there is just one developer indeed
is a good reason to use svn, or just not to use a version control system.
If the sources would be on github, or some other git host, cryptopp
would become a lot more active and people could actually start adding
stuff and sharing it.

So to answer your question: git would provide additional contributors,
which is why you'd make something open source, no?

R

[Wei Dai]

The problem with having more contributors is that in order to ensure security, I'd have to review their code, and it would take just about as long to review other people's code as to write it from scratch, and that code would be less maintainable in the long run since it would be in a different style from my own. An alternative would be to switch to a different development model with lots of contributors, lots of reviewers, a lot more resources overall. Unfortunately that doesn't seem very realistic for Crypto++ given that even OpenSSL has had trouble getting enough resources to maintain its security in the past.

[David Irvine]

On Sat, May 24, 2014 at 7:44 PM, Wei Dai <wei...@weidai.com> wrote:

The problem with having more contributors is that in order to ensure security, I'd have to review their code, and it would take just about as long to review other people's code as to write it from scratch, and that code would be less maintainable in the long run since it would be in a different style from my own.

Agreed, I would love to see move semantics etc. if possible though. Seems to me there are some efficiencies to be made, but mixed c++11/c++98 is a PITA.  I am not sure that if the efficiencies were to prove significant then it would be worth it. I would love to have time to try, its unlikely that I will though with my current commitments.

One other thing that would be nice though is a better mechanism for issues and patches perhaps? 

In any case great library Wei, as is it is very good indeed, you need a donation button :-).

--

David Irvine

twitter: @metaquestions

blog:  http://metaquestions.me

[Ruben De Smet]

Even if he does not add a donation button, chances are he's getting a
grand one from me in one or two years... Great library indeed!

R

[jacob...@outlook.com]

Typically people use a style guide to enforce certain style of programming, although I suppose you likely mean style at a higher level, such as OO/procedural, though I suppose that could be enforced as well.

I commonly hear that it is easier to spot good code rather than write it, though that may be a bit different for crypo code. I suppose it is difficult to disagree with the maintainer however.

I am sure at least some people would be willing to review code.

--JH

[Wojciech S. Czarnecki]

Dnia Sun, May 25, 2014 at 09:31:43PM -0700, jacob...@outlook.com napisa³(a):

>>[Wei Dai] The problem with having more contributors [...] security
I second that.

>>[Wei Dai] it would take just about as long to review other people's

>>code as to write it from scratch

With odds that a subtle trap (eg one exploiting compiler's optimization
quirks) will slip in anyway.

>[JH] I am sure at least some people would be willing to review code.
The code that Wei Dai wrote/writes can be reviewed now. But a very few
people on our Earth have the knowledge to review crypto code at all.

Plus, as we were enlightened recently, many of these few are working
meticuously on reviews in search for new venues. Why to gave them
opportunities to introduce more?

>
> --JH

TC, Ohir.

--

Wojciech S. Czarnecki
<< ^oo^ >> OHIR-RIPE

[jacob...@outlook.com]

There's 2 levels of knowledge required for reviewing code in this project, the

crypto, and the c++. Most people reviewing the code will be able to spot the

c++ errors, but crypto specific changes will require someone with that

knowledge to review. I would also assume that most of the changes are

c++ changes as opposed to changing the crypto implementation around.

Directed attacks are more serious, but they are also possible with our current

method of contributing code.

There is another benefit of having the project on Github, which is more people

would be reviewing the code as well as contributing it.

--JH

[Zooko O'Whielacronx]

I disagree that Crypto++'s single-committer strategy is a good reason
*not* to move to git and to github. Git and github are fine tools to
use for single-committer projects.

There are a large number of ways that github would be better than what
we have now — a working issue tracker, a nice source-code browser, and
in general github is a site that a large number of people know how to
find and use.

Sourceforge seems to be in a bad state and getting worse. Do they
still use http-no-s mirrors? And are the download pages still
festooned with obnoxious ads, some of which try to trick you into
thinking that *they* are the way to download the thing you're trying
to download? In contrast the github maintainers are very active about
improving and maintaining it, there are no ads, and they have a good
track record of caring about security.

Switching to git and github would also make it easier for people like
me who re-use parts of Crypto++ inside other projects:
https://github.com/tahoe-lafs/pycryptopp/tree/master/src-cryptopp

I'd be happy to help make the move. There's not much to it. A couple
of people, including me, have already cloned Crypto++'s SVN history
into git:

https://github.com/zooko/cryptopp
https://github.com/ametaireau/cryptopp

Regards,

Zooko

[Ruben De Smet]

Has there still been a discussion on this topic? Another reason for
using git: git-submodules are very useful things, that we can't use this
way.

[Jean-Pierre Münch]

Well, from my side there's nothing against moving Crypto++ to git. (I
even did with my fork)
But of course, we would need the "owner"(Wei Dai) of this library to do
this step and it's his decision, if he thinks it's impossible if a lot
of (not very competent crypto coders) we would lack "official" support.

BR

JPM