[fpc-pascal] Re: HMAC_SHA1 and FPC

Mark Morgan Lloyd markMLl.fpc-pascal at telemetry.co.uk
Tue Apr 2 10:08:25 CEST 2013

Reinier Olislagers wrote:
> On 2-4-2013 5:13, Noah Silva wrote:
>> Actually I think on OS X and Linux it makes sense to depend on OpenSSL,
>> but not for the reasons you mentioned so much as one more: Security. 
> That's probably why the previous poster wrote robust etc. Sounds like
> security attributes to me.
>> If
>> you are using doing encryption, then it's better to use a library that
>> is updated more often for bug fixes, and to have the updates be applied
>> to your program automatically.  If you static-link it in, it will never
>> be updated until you update it and ship a new version of your program
>> and everyone installs it.  If you dynamically link to it, then then the
>> operating system updates it, you get the updates "for free".  

Depends. If you're using (say) a hash function to store a token in lieu 
of a password then the important thing is that this behaves consistently 
across platforms and program versions. If an external library eliminated 
a potential security flaw (the most common case being when null text was 
processed) that might be significant in the case of key scheduling for 
data transfer over an insecure channel, but not for purely local storage.

As usual, there's little substitute for the original programmer knowing 
what he's doing, and for him documenting what he's done so that 
maintainers know what sort of external event can cause an issue.

Mark Morgan Lloyd
markMLl .AT. telemetry.co .DOT. uk

[Opinions above are the author's, not those of his employers or colleagues]

More information about the fpc-pascal mailing list