Why not use RustCrypto dependencies? #134
Comments
|
When this crate was created, RustCrypto wasn't really a thing, and the options were basically the unmaintained rust-crypto crate in rust or ring (which has a ton of issues and only supports a few architectures with its C code anyway). Now that we've done the work, though, I'm not sure why we'd switch - dependencies can always inject code which steals user funds in many creative ways, the biggest cost is building an alternative to begin with, which we've now paid. Especially with cryptography implementations, just letting it sit and barely be touched is probably more than fine. You mentioned at rust-bitcoin/rust-bitcoin#647 that one concern of yours is binary size - is it possible to go the other way and use bitcoin_hashes instead of RustCrypto? |
|
FWIW some HW has cryptography acceleration so it would be nice to support it using trait approach. (IMO a better reason than binary size.) Sadly this would be somewhat cumbersome as it means sprinkling generics everywhere. Generic modules would help but it's still 2021... (This may also be of interest: rust-lang/rfcs#2492 (comment) ) |
|
Thanks, that resolves my question.
Too early to tell, really. Let's continue the discussion in the other issue. |
I was wondering why there are internal implementations of all hashing functions in this crate versus using dependencies that implement them already, e.g. https://docs.rs/sha2/0.9.8/sha2/.
Maybe you could document the pro/con/rationale in the README. I know it says 'no-dependency' in the README, but it is not clear to me why this justifies implementing and maintaining all these hashing algos.
The text was updated successfully, but these errors were encountered: