Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC adding third party Ed25519, HPKE, and CBOR libs #208
base: master
Are you sure you want to change the base?
RFC adding third party Ed25519, HPKE, and CBOR libs #208
Changes from 2 commits
edb3a4a31edd1de78ffaccb6ff54d236bb8606ed054c0957dc3d0435File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This appears to be CC0, which I know different companies have differing policies around, both in terms of usage and any potential contributions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CC0 is broadly considered to be the legal equivalent to the colloquial definition of "public domain", so I don't expect that to be an issue, although perhaps @alex could weigh in.
Creative Commons (non-zero) is generally what triggers more paranoia across different companies. However, I am not sure what the policy is for Web Platform Tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have absolutely no context here, but:
That repo is a pure-Python, but somewhat optimized, implementation of ed25519. It was implemented by taking djb's original ed25519 Python code and optimizing it. djb's original implementation is listed as being licensed "in the public domain": https://ed25519.cr.yp.to/software.html. However, "public domain" is not a concept that exists in all jurisdictions, thus we licensed our modifications under the most permissive license that should work everywhere. For all practical purposes, I do believe anyone should be encumbered by this license.
All of that said, for 99.999% of use cases, you should get your ed25519 from pyca/cryptography, which is dual BSD-3-Clause/Apache-2 licensed. It will be much faster, etc. The only reason to use ed25519.py is if you have a use-case that absolutely requires it be pure python. Bootstrapping the python packaging ecosystem is the only real use case I'm aware of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the use case here, wptserve, is in fact pure-Python, so ed25519.py is in fact a reasonable match for our needs.
CC0 licensing also sounds very permissive, and it looks like web-platform-tests already contains some CC0 licensed code: https://github.com/web-platform-tests/wpt/blob/master/images/wpt-pr-bot-logo/wpt-pr-bot-logo-darkblue.svg?short_path=d6712fa#L4
I think we've resolved all concerns here and so I'm going to resolve this thread. Feel free to unresolve this comment if this does pose a problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fact that wptserve is pure python doesn't really mean it needs to have only pure python dependencies. As the maintainer of ed25519.py, I think it'd be a mistake to use it unless you have immovable constraints like
pipdoes.But at any rate, you've got the licensing history, do as you please.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We've certainly tried to avoid compiled dependencies — especially those that have more requirements to build above and beyond what CPython requires to build.
It's certainly the case that we care about being able to run WPT tests (and thus the server) on relatively unusual architectures/OSes (an obvious example is that some of the WebKit ports are still maintaining Linux/arm32 support, for which no cryptography wheels are available — and there's been reluctance to add all the dependencies to build cryptography into the image used — but also there are more extreme cases such as macOS on Apple Silicon prior to its public announcement); any time where we add a compiled dependency it potentially adds a whole load of "you need to install X, Y, and Z before you can install the Python dependencies".
Thus, in general, unless there's a very compelling reason, we've had a strong bias for pure-Python dependencies.