I'm a big fan of pyca/cryptography and I use it for any serious project, but if ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Retr0id 8 months ago \| parent \| context \| favorite \| on: 15,000 lines of verified cryptography now in Pytho... I'm a big fan of pyca/cryptography and I use it for any serious project, but if I just need hashing I tend to use the standard library hashlib - it saves a somewhat heavy dependency, and the API is less verbose. Also, pyca/cryptography uses OpenSSL. OpenSSL is fine, but has the same "problem" as the previous python stdlib implementation. (Personally I think it's an acceptable risk. If anything, swapping in 15,000 lines of new code is the greater risk, even if it's "verified")

frumplestlatz 8 months ago [–]

I'm curious why you put "verified" in scare-quotes, and why you think adopting formally verified code is a greater risk.

Retr0id 8 months ago | [–]

I don't think formal verification is bad, I just don't think it's a silver bullet. i.e. we should not get complacent and assume that formally verified code is 100% safe.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact