s/red/read/
The problem is that people who write encryption code and libraries seem to give zero thought to end users. This isn’t limited to encryption, but is a problem related to any intellectually hard problem space.
I feel a moral obligation to remind people of the best clippy ever made. Bonus points for leaving it running on a co-workers unlocked computer:
http://www.rjlsoftware.com/software/entertainment/clippy/
His text file is also customizable so you could add the “deprecated” classes/methods/members to the phrases that just ooze with cuteness.
Even if the source code is available, do you want to spend your time analyzing somebody else’s code? Even if you choose to do so, you still would need to become an expert on solving the initial problem in order to determine if the library code is:
- doing it right
- doing it efficiently
- handling errors properly (do you even know what the error cases are?)
- not creating any side effects
If you need to know all these things in order to determine if somebody else’s code will work for you, you already know enough to write it yourself.
I’m not proposing that we never use 3rd party libraries. I’m saying that it’s not a panacea and there are valid reasons not to do so.
So, are you going to use a library? Which one?
Amen!
I won’t disagree with using a special purpose library for such things, but I find it funny that in doing so you can (1) not understand the encryption, (2) copy and paste code from the internet and (3) not peer review the code all at the same time.
On the 3rd party lib issue; I like my solution best (who doesn’t?): find a domain where you don’t need any. I, time and again, find that where I most enjoy working is at a level where the only abstractions I deal with are native to the library. It’s not a matter of NIH but rather I like working just a smige above the language.
It is important to have a wide breadth of knowledge in the programming languages that you use, even if it is just knowing that some library or framework exists for some purpose, but not necessary all of the details.
If you do not have a wide breadth of knowledge of the programming languages that you are working with then you need to get out of the hurry up and code mentality and take some time to research the heck out of it so that you can make informed decisions when you sit down to write the code or plot out the design.
You should be able to coherently explain why you coded every piece of code the way that you coded it, and part of that explanation may be why you chose not to use a 3rd party library or existing API.
I cringe when I am working on code that was obviously well written by a smart person who spent a lot of time working on it, but didn’t have to because that functionality was already available in a standard library or relatively well known 3rd party library. It was just unknown to them.
Apparently some of us need to be reminded of the Open-SSH debacle. It was broken for two years. It’s probably still broken on many systems.
One other problem I’ve seen recently has involved recompiling unchanged (know, proven) libraries with updated compilers. Surprise: the newly compiled library may give very different answers. No rest for the weary.
Jesse McNelis nailed it (or at least one aspect of it). Documentation for third party libraries tends to look like either this:
or this:
about:blank
Neither one of which is useful to anyone.
I just riffed on this 24 hours ago. The “right” level of abstraction is the one where you no longer need to look under the covers to fix things.
I find the article kind of confusing. It talks about the problem that comes up with not using already available and well tested code but writing it from scratch(Reuse),with being on the wrong level of abstraction. BTW i picked it up from here (http://www.reddit.com/r/programming/comments/8rydz/the_wrong_level_of_abstraction/c0a8r6o)
One thing we can notice:
The more the language (or the library) goes towards abstraction, the easier it gets to solve real-world problem.
As programmers, we tend to think that the more we go down to the bits and octets, the more we go towards reality. But for regular people, the reality resides in the analogic macro world, not in the numeric world of micro chips.
That sounds like the day i discovered the boost libraries for C++, in a moment I felt how all the code I had written so far should be changed
Abstraction… You keep using that word. I do not think it means what you think it means. Whether you use a library or not has nothing to do with abstraction. Abstraction has to do with design. You can use a library with poor abstraction and you could have made your encryption method properly abstracted even if you didn’t use a library.
its jQuery, not JQuery. JQuery is SQL library for PHP.
It’s really hard to avoid reinventing the wheel; there’s an anti-pattern I call “stratification”.
I had the recent joy of looking at code I wrote 15 years ago. The first thing I noticed was that I made extensive use of linked lists, but I repeated a lot of the code. At the time, it was intentional; function calls were too expensive. But now we have fast computers, so I resolved to write myself a linked-list helper library.
A little further into the project, I was looking through some other code, and - what do you know! - found a linked-list helper library. It seemed like just what I needed. And that’s when I realized - it ought to, because I wrote that. I just hadn’t looked at it in 15 years, and neither had anyone else. So if I can’t even remember to use my own abstractions, how can I expect the rest of the company to?
Basically, the more you write high-level libraries that wrap lower-level ones, the less you use the low-level libraries. Thus, the less you understand them. At some point, you forget they even exist. At that point, you will - inevitably - write an even-higher-level library that recreates the lower-level functionality ON TOP OF the high-level library.
If you build a mail system that relies on a database, someone will inevitably decide that a mail system, with its built-in queueing, routing and simplicity, is a great transport for asynchronous replication - which in turn can be used to create a distributed file system. And once you’ve got a file system, well, wouldn’t it be great to get a database running on it?
I found your post on the same page as this link:
Cryptographic Right Answers
…on Hacker News (http://news.ycombinator.com) - coincidence?
That’s some good advice and a lot of dogma. For example “Use RSA-OAEP/-PSS” comes with a corollary of “… and be incompatible with every existing crypto-using application (and most crypto libraries) in existence”. “Use Group #14 with a generator of 2” comes with a side-order of “… but be aware that if anyone ever finds a weakness in these monoculture parameters, it’s game over for all your deployed apps (and everyone else’s too)”. “Use AES in CTR (Counter) mode, and append an HMAC” comes with a side-order of “… and then get a cryptographer to go through your code with a fine-toothed comb fixing all the side-channels you’ve left yourself vulnerable to by doing it yourself”. In fact the only advice I agree with completely is “use a crypto library done by someone who knows what they’re doing and don’t even think about doing any of it yourself”.
My brother always say: “There’s no hard work but unappropiate tool”