You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/blog/botan-first-milestone.md
+37-35Lines changed: 37 additions & 35 deletions
Original file line number
Diff line number
Diff line change
@@ -12,27 +12,29 @@ lead = "After 8 months of work, we've reached an important milestone. Now we're
12
12
13
13
# Botan: The First Milestone
14
14
15
-
First off, huge thanks to [Mercury][mercury] for funding the [first proposal][first proposal] and helping us reach this milestone - this library would not be in this state without their support. If you are an engineer looking for a savvy place to work, I hear they are [hiring][mercury hiring]!
15
+
What are you using cryptography for? Would you be interested in trying something new? Perhaps an alternate backend for your cryptography needs?
16
+
17
+
We're working on `botan`, a cryptographic kitchen sink, and after 8 months of work, we've reached an important milestone: we've successfully published the first released version `0.0.1` of [botan-bindings][botan-bindings] and [botan-low][botan-low], and `botan` has made it to [package candidate][botan] status!
16
18
17
-
With [botan-bindings][botan-bindings] and [botan-low][botan-low] having reached their initial `0.0.1`release and `botan`making it to [package candidate][botan] status, we've reached an important milestone - the first released version!
19
+
Now we are hard at work on getting the first release version of `botan`ready too, and could use your feedback!
18
20
19
-
After 8 months of work, celebrations were in order, and after a bit of a breather, we're back in action to tell you about what is coming next.
21
+
## What is Botan?
22
+
23
+
Botan is an comprehensive, open-source, BSD-licenced, C++ cryptography library with a stable C API. It offers a broad variety of functionality and algorithms, including **post-quantum cryptography**, is developed and maintained by an active community, and has been [audited][botan audit] in the past.
20
24
21
-
But first...
25
+
By binding to Botan, we have solved a significant problem of providing much of the necessary 'cryptographic kitchen sink' via a suitably performant, suitably licensed, open-source library. Furthermore, we do this without imposing a large maintenance burden on the Haskell community, as we are not required to maintain the Botan cryptography library itself, only the bindings to it.
22
26
23
-
# A call for users
27
+
##A call for users
24
28
25
29
Do you use one of the following libraries?
26
30
27
31
-`crypton` / `cryptonite`
28
32
-`libsodium`
29
33
-`saltine`
30
34
31
-
What are you using cryptography for? Would you be interested in trying something new? Perhaps an alternate backend for your cryptography needs?
32
-
33
-
We're working on `botan`, a cryptographic kitchen sink, and could use your feedback! We've successfully published `botan-bindings` and `botan-low`, and now are hard at work on getting `botan` ready too. That's where you come in! We can't listen to your feedback if there isn't any.
35
+
That's where you come in! We'd like you to consider giving [botan][botan github] a try!
34
36
35
-
`botan-low` is surprisingly viable out-of-box, and `botan` will be having it's own `0.0.1` release soon enough. We are interested in seeing how they perform in the real world, and we can only do that with users!
37
+
`botan-low` is surprisingly viable out-of-box, and `botan` will be having it's own `0.0.1` release soon enough. We are interested in seeing how they perform in the real world, and we can only do that with users - we can't listen to your feedback if there isn't any!
36
38
37
39
Or perhaps you may be a user of a library with one of these buried deep in the dependencies?
38
40
@@ -56,34 +58,27 @@ Having a solid, reliable, and well-maintained cryptography libraries is a huge b
56
58
57
59
What are you using cryptography for? Let us know in the comments or with upvotes.
58
60
59
-
# Who are we?
61
+
##Who are we?
60
62
61
63
I am Leo Dillinger, a member of [Haskell Cryptography Group][haskell cryptography group], and I am working with the [Haskell Foundation][haskell foundation] to develop free and open-source software for you and the Haskell ecosystem.
62
64
63
-
# What are our goals?
65
+
##What are our goals?
64
66
65
67
We seek to provide trusted, open-source cryptography solutions to you. Much of the existing Haskell cryptography ecosystem is aging, unmaintained and unaudited, or very limited in scope, we are seeking to improve that.
66
68
67
-
# What is Botan?
69
+
Today, we're here to tell you about what is coming next.
68
70
69
-
Botan is an comprehensive, open-source, BSD-licenced, C++ cryptography library with a stable C API. It offers a broad variety of functionality and algorithms, including **post-quantum cryptography**, is developed and maintained by an active community, and has been [audited][botan audit] in the past.
70
-
71
-
By binding to Botan, we have solved a significant problem of providing much of the necessary 'cryptographic kitchen sink' via a suitably performant, suitably licensed, open-source library. Furthermore, we do this without imposing a large maintenance burden on the Haskell community, as we are not required to maintain the Botan cryptography library itself, only the bindings to it.
72
-
73
-
See the
74
-
[first proposal][first proposal] for more details.
75
-
76
-
# A new phase
71
+
## A new phase
77
72
78
73
As we all know, perfect is the enemy of good; no software is perfect the first time, and we release things when they work, and then continue to improve them. And so we hope that this is simply the first version and first step on a journey of many improvements small and large.
79
74
80
75
With this milestone, the project enters a new phase in the software development lifecycle - maintenance and development. During initial development, we were nimble, and could make choices arbitrarily - but now that we have something that works, with an initial release and users, we have to keep it working all the while we continue further development. We now have other people invested in this, and can't make choices willy-nilly - we owe it to our users and stakeholders to listen to them.
81
76
82
-
# The second milestone
77
+
##The second milestone
83
78
84
79
That is what this next milestone is about - listening to feedback, improving the user experience, and seeing where the pain points are. Here's what we've heard, and here's what we're planning for the next three months.
85
80
86
-
## Improved installation support
81
+
###Improved installation support
87
82
88
83
One of the biggest pieces of feedback that we've received is the need for improved support for the installation of the `botan3` C++ library. This was a recurring item, and we've heard you loud and clear.
89
84
@@ -93,27 +88,27 @@ We'd like to spend a good chunk of time improving the installation process, with
93
88
94
89
We're also looking into using `build-type: Configure` for bundling Botan C++ as a Haskell package for easy installation on all operating systems - we'd like for usage to be as easy as adding `botan` to your dependencies.
95
90
96
-
## Development of a drop-in interface replacement for `crypton`
91
+
###Development of a drop-in interface replacement for `crypton`
97
92
98
93
This is obviously on our mind, given our call for users, and was mentioned several times in feedback. `crypton` is a dependency in many important libraries in the Haskell ecosystem, and we would like to build an interface that is as near a drop-in replacement for `crypton` as possible.
99
94
100
95
There will be some differences, as `botan` doesn't necessarily support everything[^2] in the same way as `crypton` does, but we'll give it our best effort to make migration as simple as possible.
101
96
102
97
[^2]: There are a few things that `crypton` supports that `botan` doesn't, but also vice versa - `botan` supports things like modern post-quantum algorithms and `crypton` doesn't.
103
98
104
-
## Development of a high-level libsodium-like interface
99
+
###Development of a high-level libsodium-like interface
105
100
106
101
We'd like to expose a high-level libsodium-like interface of selected best-in-class algorithms in order to make usage dead simple. We don't want you managing primitives yourselves - we want you calling a simple function purely or in an appropriate monad / transformer.
107
102
108
103
> This might be a bit of a stretch goal, in favor of focusing on replacing `crypton`.
109
104
110
-
## Continued development of the cryptographic typeclasses
105
+
###Continued development of the cryptographic typeclasses
111
106
112
107
The development of [cryptographic typeclasses][cryptographic typeclasses] is ongoing, in an effort to improve per-algorithm type safety and ergonomics through more consistent handling of cryptographic primitives such as keys, nonces, and ciphertexts.
113
108
114
109
> This is also a necessity for the `crypton` drop-in replacement.
115
110
116
-
## Continued refinement of `botan`
111
+
###Continued refinement of `botan`
117
112
118
113
There are many continued refinements and improvements to the `botan` library that we would like to apply.
119
114
@@ -131,35 +126,35 @@ These are some of the things that we'd like to accomplish over the coming months
131
126
132
127
You can find more details in the updated [second funding proposal][second proposal]. This proposal is a continuation of the efforts of the first proposal, and is motivated by the same long-term goals.
133
128
134
-
# A flag planted on the horizon
129
+
##A flag planted on the horizon
135
130
136
131
As part of the Haskell Cryptography Group, we're about more than just maintenance of existing libraries - we want to develop a full suite of modern cryptography libraries.
137
132
138
-
Cryptography is a different niche, but we see the success of Haskell web server libraries as an example of a healthy, community-driven ecosystem. There are packages ranging from the low-level like `wai` supporting multiple backends from the swiftly simple `scotty` to the deeply complex `servant`, frontends like `blaze-html` and `lucid` - a rich set of libraries that provide a flexible enough set of solutions at whatever level of abstraction you need, that take full advantage of Haskell's powerful type system.
133
+
Cryptography is a different niche, but we see the success of Haskell web server libraries as an example of a healthy, community-driven ecosystem. There are packages ranging from the low-level like `wai` supporting multiple backends from the swiftly simple `scotty` to the deeply complex `servant`, and a supporting ecosystem - a rich set of libraries that provide a flexible enough set of solutions at whatever level of abstraction you need, that take full advantage of Haskell's powerful type system.
139
134
140
135
We see the success of the haskell web server ecosystem as an example of a healthy, developed niche, and as an example of Haskell making something safer and easier to use - something that we aspire to do with cryptography.
141
136
142
137
That level of development takes work, and time, and we've just hit our first milestone - bindings to a modern, stable, audited open-source cryptography library. Now begins the long work of establishing an ecosystem on top of it.
143
138
144
139
Here's what we're looking into for the long-term future:
145
140
146
-
## Improving APIs with higher-order functions
141
+
###Improving APIs with higher-order functions
147
142
148
143
We'd like to build higher-order functions to take care of complicated server/client multi-step algorithms, such as SRP6. Bundling up the necessary sequences of actions into a higher-order function that takes a couple of IO functions as arguments is a safer, more ergonomic, and more reliable way of performing these actions than handing the user a series of steps that they must call in the right order.
149
144
150
-
## Integration into libraries as an alternative to `crypton`
145
+
###Integration into libraries as an alternative to `crypton`
151
146
152
147
We'd like to integrate `botan` with other libraries as an alternative to or replacement for`crypton`, either through the drop-in interface, or by migrating entirely - and we'd like to make that easy by providing the appropriate tools and flags.
153
148
154
149
Of particular interest is the Haskell web ecosystem, which currently relies heavily on `crypton`.
155
150
156
-
## Split off cryptographic classes as a separate package to be backend agnostic
151
+
###Split off cryptographic classes as a separate package to be backend agnostic
157
152
158
153
We see `botan` as one of many potential backends, and backend-agnostic cryptographic typeclasses are like `wai` - a common interface. There is a difference between algorithms (sets of operations) and typeclasses (specific use cases). Algorithms are 'how we do it', typeclasses are 'what we want to use it for'. If we've defined our typeclasses correctly (as by use case), they should be backend-agnostic, regardless of the particulars of the implementation - otherwise the implementation could not fulfill its duties.
159
154
160
155
For the moment, these classes are part of `botan`, and we'd eventually like to split these cryptographic classes off into their own `cryptography` library.
161
156
162
-
## Implementation of more advanced algorithms
157
+
###Implementation of more advanced algorithms
163
158
164
159
There's a whole host of interesting and useful cryptography algorithms that have been developed in the last decade - including post-quantum cryptography, and we'd like to be able to provide them as tools for you to use.
165
160
@@ -169,13 +164,13 @@ We don't want you to be messing around with cryptographic primitives - we want y
169
164
170
165
[^3]: These libraries do not yet exist, but we'd like them to.
171
166
172
-
## Building an application framework that takes care of cryptography & security
167
+
###Building an application framework that takes care of cryptography & security
173
168
174
169
Ultimately, we'd like to build an application framework that abstracts away cryptography & security, not unlike how the Haskell web ecosystem successfully manages away much of the complexity of HTTP servers. We'd like to develop a comparable system, but for cryptography - one that comes with modern post-quantum key exchange and encryption and secure transport built-in. Wouldn't that be something - an application framework with out-of-box working post-quantum transport scheme?
175
170
176
171
Easy-to-create applications with built-in security could be a killer application for Haskell, in an era where data safety is becoming a primary concern.
177
172
178
-
# How can you help?
173
+
##How can you help?
179
174
180
175
We've already taken the first step of binding to a modern, stable cryptography library. Now it is time to take the next. We'd like to ensure the longevity of this project as we tackle the next set of challenges.
181
176
@@ -185,7 +180,11 @@ You can help us by commenting, voting, or pledging support - your activity here
185
180
186
181
Help us keep going! Follow the [devlog][devlog] for more frequently updated details!
187
182
188
-
# Signed
183
+
## Special thanks
184
+
185
+
Huge thanks to [Mercury][mercury] for funding the [first proposal][first proposal] and helping us reach this milestone - this library would not be in this state without their support. If you are an engineer looking for a savvy place to work, I hear they are [hiring][mercury hiring]!
186
+
187
+
## Signed
189
188
190
189
Leo Dillinger,
191
190
Haskell Cryptography Group
@@ -202,6 +201,7 @@ Executive Director, Haskell Foundation
202
201
-[Haskell Foundation][haskell foundation]
203
202
-[Mercury][mercury]
204
203
-[Mercury hiring][mercury hiring]
204
+
-[Botan Github][botan github]
205
205
-[botan-bindings][botan-bindings]
206
206
-[botan-low][botan-low]
207
207
-[botan][botan]
@@ -223,6 +223,8 @@ Executive Director, Haskell Foundation
0 commit comments