Skip to content

Commit 92d8a74

Browse files
committed
Applying feedback
1 parent d9c7961 commit 92d8a74

File tree

1 file changed

+37
-35
lines changed

1 file changed

+37
-35
lines changed

content/blog/botan-first-milestone.md

Lines changed: 37 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -12,27 +12,29 @@ lead = "After 8 months of work, we've reached an important milestone. Now we're
1212

1313
# Botan: The First Milestone
1414

15-
First off, huge thanks to [Mercury][mercury] for funding the [first proposal][first proposal] and helping us reach this milestone - this library would not be in this state without their support. If you are an engineer looking for a savvy place to work, I hear they are [hiring][mercury hiring]!
15+
What are you using cryptography for? Would you be interested in trying something new? Perhaps an alternate backend for your cryptography needs?
16+
17+
We're working on `botan`, a cryptographic kitchen sink, and after 8 months of work, we've reached an important milestone: we've successfully published the first released version `0.0.1` of [botan-bindings][botan-bindings] and [botan-low][botan-low], and `botan` has made it to [package candidate][botan] status!
1618

17-
With [botan-bindings][botan-bindings] and [botan-low][botan-low] having reached their initial `0.0.1` release and `botan` making it to [package candidate][botan] status, we've reached an important milestone - the first released version!
19+
Now we are hard at work on getting the first release version of `botan` ready too, and could use your feedback!
1820

19-
After 8 months of work, celebrations were in order, and after a bit of a breather, we're back in action to tell you about what is coming next.
21+
## What is Botan?
22+
23+
Botan is an comprehensive, open-source, BSD-licenced, C++ cryptography library with a stable C API. It offers a broad variety of functionality and algorithms, including **post-quantum cryptography**, is developed and maintained by an active community, and has been [audited][botan audit] in the past.
2024

21-
But first...
25+
By binding to Botan, we have solved a significant problem of providing much of the necessary 'cryptographic kitchen sink' via a suitably performant, suitably licensed, open-source library. Furthermore, we do this without imposing a large maintenance burden on the Haskell community, as we are not required to maintain the Botan cryptography library itself, only the bindings to it.
2226

23-
# A call for users
27+
## A call for users
2428

2529
Do you use one of the following libraries?
2630

2731
- `crypton` / `cryptonite`
2832
- `libsodium`
2933
- `saltine`
3034

31-
What are you using cryptography for? Would you be interested in trying something new? Perhaps an alternate backend for your cryptography needs?
32-
33-
We're working on `botan`, a cryptographic kitchen sink, and could use your feedback! We've successfully published `botan-bindings` and `botan-low`, and now are hard at work on getting `botan` ready too. That's where you come in! We can't listen to your feedback if there isn't any.
35+
That's where you come in! We'd like you to consider giving [botan][botan github] a try!
3436

35-
`botan-low` is surprisingly viable out-of-box, and `botan` will be having it's own `0.0.1` release soon enough. We are interested in seeing how they perform in the real world, and we can only do that with users!
37+
`botan-low` is surprisingly viable out-of-box, and `botan` will be having it's own `0.0.1` release soon enough. We are interested in seeing how they perform in the real world, and we can only do that with users - we can't listen to your feedback if there isn't any!
3638

3739
Or perhaps you may be a user of a library with one of these buried deep in the dependencies?
3840

@@ -56,34 +58,27 @@ Having a solid, reliable, and well-maintained cryptography libraries is a huge b
5658

5759
What are you using cryptography for? Let us know in the comments or with upvotes.
5860

59-
# Who are we?
61+
## Who are we?
6062

6163
I am Leo Dillinger, a member of [Haskell Cryptography Group][haskell cryptography group], and I am working with the [Haskell Foundation][haskell foundation] to develop free and open-source software for you and the Haskell ecosystem.
6264

63-
# What are our goals?
65+
## What are our goals?
6466

6567
We seek to provide trusted, open-source cryptography solutions to you. Much of the existing Haskell cryptography ecosystem is aging, unmaintained and unaudited, or very limited in scope, we are seeking to improve that.
6668

67-
# What is Botan?
69+
Today, we're here to tell you about what is coming next.
6870

69-
Botan is an comprehensive, open-source, BSD-licenced, C++ cryptography library with a stable C API. It offers a broad variety of functionality and algorithms, including **post-quantum cryptography**, is developed and maintained by an active community, and has been [audited][botan audit] in the past.
70-
71-
By binding to Botan, we have solved a significant problem of providing much of the necessary 'cryptographic kitchen sink' via a suitably performant, suitably licensed, open-source library. Furthermore, we do this without imposing a large maintenance burden on the Haskell community, as we are not required to maintain the Botan cryptography library itself, only the bindings to it.
72-
73-
See the
74-
[first proposal][first proposal] for more details.
75-
76-
# A new phase
71+
## A new phase
7772

7873
As we all know, perfect is the enemy of good; no software is perfect the first time, and we release things when they work, and then continue to improve them. And so we hope that this is simply the first version and first step on a journey of many improvements small and large.
7974

8075
With this milestone, the project enters a new phase in the software development lifecycle - maintenance and development. During initial development, we were nimble, and could make choices arbitrarily - but now that we have something that works, with an initial release and users, we have to keep it working all the while we continue further development. We now have other people invested in this, and can't make choices willy-nilly - we owe it to our users and stakeholders to listen to them.
8176

82-
# The second milestone
77+
## The second milestone
8378

8479
That is what this next milestone is about - listening to feedback, improving the user experience, and seeing where the pain points are. Here's what we've heard, and here's what we're planning for the next three months.
8580

86-
## Improved installation support
81+
### Improved installation support
8782

8883
One of the biggest pieces of feedback that we've received is the need for improved support for the installation of the `botan3` C++ library. This was a recurring item, and we've heard you loud and clear.
8984

@@ -93,27 +88,27 @@ We'd like to spend a good chunk of time improving the installation process, with
9388

9489
We're also looking into using `build-type: Configure` for bundling Botan C++ as a Haskell package for easy installation on all operating systems - we'd like for usage to be as easy as adding `botan` to your dependencies.
9590

96-
## Development of a drop-in interface replacement for `crypton`
91+
### Development of a drop-in interface replacement for `crypton`
9792

9893
This is obviously on our mind, given our call for users, and was mentioned several times in feedback. `crypton` is a dependency in many important libraries in the Haskell ecosystem, and we would like to build an interface that is as near a drop-in replacement for `crypton` as possible.
9994

10095
There will be some differences, as `botan` doesn't necessarily support everything[^2] in the same way as `crypton` does, but we'll give it our best effort to make migration as simple as possible.
10196

10297
[^2]: There are a few things that `crypton` supports that `botan` doesn't, but also vice versa - `botan` supports things like modern post-quantum algorithms and `crypton` doesn't.
10398

104-
## Development of a high-level libsodium-like interface
99+
### Development of a high-level libsodium-like interface
105100

106101
We'd like to expose a high-level libsodium-like interface of selected best-in-class algorithms in order to make usage dead simple. We don't want you managing primitives yourselves - we want you calling a simple function purely or in an appropriate monad / transformer.
107102

108103
> This might be a bit of a stretch goal, in favor of focusing on replacing `crypton`.
109104
110-
## Continued development of the cryptographic typeclasses
105+
### Continued development of the cryptographic typeclasses
111106

112107
The development of [cryptographic typeclasses][cryptographic typeclasses] is ongoing, in an effort to improve per-algorithm type safety and ergonomics through more consistent handling of cryptographic primitives such as keys, nonces, and ciphertexts.
113108

114109
> This is also a necessity for the `crypton` drop-in replacement.
115110
116-
## Continued refinement of `botan`
111+
### Continued refinement of `botan`
117112

118113
There are many continued refinements and improvements to the `botan` library that we would like to apply.
119114

@@ -131,35 +126,35 @@ These are some of the things that we'd like to accomplish over the coming months
131126

132127
You can find more details in the updated [second funding proposal][second proposal]. This proposal is a continuation of the efforts of the first proposal, and is motivated by the same long-term goals.
133128

134-
# A flag planted on the horizon
129+
## A flag planted on the horizon
135130

136131
As part of the Haskell Cryptography Group, we're about more than just maintenance of existing libraries - we want to develop a full suite of modern cryptography libraries.
137132

138-
Cryptography is a different niche, but we see the success of Haskell web server libraries as an example of a healthy, community-driven ecosystem. There are packages ranging from the low-level like `wai` supporting multiple backends from the swiftly simple `scotty` to the deeply complex `servant`, frontends like `blaze-html` and `lucid` - a rich set of libraries that provide a flexible enough set of solutions at whatever level of abstraction you need, that take full advantage of Haskell's powerful type system.
133+
Cryptography is a different niche, but we see the success of Haskell web server libraries as an example of a healthy, community-driven ecosystem. There are packages ranging from the low-level like `wai` supporting multiple backends from the swiftly simple `scotty` to the deeply complex `servant`, and a supporting ecosystem - a rich set of libraries that provide a flexible enough set of solutions at whatever level of abstraction you need, that take full advantage of Haskell's powerful type system.
139134

140135
We see the success of the haskell web server ecosystem as an example of a healthy, developed niche, and as an example of Haskell making something safer and easier to use - something that we aspire to do with cryptography.
141136

142137
That level of development takes work, and time, and we've just hit our first milestone - bindings to a modern, stable, audited open-source cryptography library. Now begins the long work of establishing an ecosystem on top of it.
143138

144139
Here's what we're looking into for the long-term future:
145140

146-
## Improving APIs with higher-order functions
141+
### Improving APIs with higher-order functions
147142

148143
We'd like to build higher-order functions to take care of complicated server/client multi-step algorithms, such as SRP6. Bundling up the necessary sequences of actions into a higher-order function that takes a couple of IO functions as arguments is a safer, more ergonomic, and more reliable way of performing these actions than handing the user a series of steps that they must call in the right order.
149144

150-
## Integration into libraries as an alternative to `crypton`
145+
### Integration into libraries as an alternative to `crypton`
151146

152147
We'd like to integrate `botan` with other libraries as an alternative to or replacement for`crypton`, either through the drop-in interface, or by migrating entirely - and we'd like to make that easy by providing the appropriate tools and flags.
153148

154149
Of particular interest is the Haskell web ecosystem, which currently relies heavily on `crypton`.
155150

156-
## Split off cryptographic classes as a separate package to be backend agnostic
151+
### Split off cryptographic classes as a separate package to be backend agnostic
157152

158153
We see `botan` as one of many potential backends, and backend-agnostic cryptographic typeclasses are like `wai` - a common interface. There is a difference between algorithms (sets of operations) and typeclasses (specific use cases). Algorithms are 'how we do it', typeclasses are 'what we want to use it for'. If we've defined our typeclasses correctly (as by use case), they should be backend-agnostic, regardless of the particulars of the implementation - otherwise the implementation could not fulfill its duties.
159154

160155
For the moment, these classes are part of `botan`, and we'd eventually like to split these cryptographic classes off into their own `cryptography` library.
161156

162-
## Implementation of more advanced algorithms
157+
### Implementation of more advanced algorithms
163158

164159
There's a whole host of interesting and useful cryptography algorithms that have been developed in the last decade - including post-quantum cryptography, and we'd like to be able to provide them as tools for you to use.
165160

@@ -169,13 +164,13 @@ We don't want you to be messing around with cryptographic primitives - we want y
169164

170165
[^3]: These libraries do not yet exist, but we'd like them to.
171166

172-
## Building an application framework that takes care of cryptography & security
167+
### Building an application framework that takes care of cryptography & security
173168

174169
Ultimately, we'd like to build an application framework that abstracts away cryptography & security, not unlike how the Haskell web ecosystem successfully manages away much of the complexity of HTTP servers. We'd like to develop a comparable system, but for cryptography - one that comes with modern post-quantum key exchange and encryption and secure transport built-in. Wouldn't that be something - an application framework with out-of-box working post-quantum transport scheme?
175170

176171
Easy-to-create applications with built-in security could be a killer application for Haskell, in an era where data safety is becoming a primary concern.
177172

178-
# How can you help?
173+
## How can you help?
179174

180175
We've already taken the first step of binding to a modern, stable cryptography library. Now it is time to take the next. We'd like to ensure the longevity of this project as we tackle the next set of challenges.
181176

@@ -185,7 +180,11 @@ You can help us by commenting, voting, or pledging support - your activity here
185180

186181
Help us keep going! Follow the [devlog][devlog] for more frequently updated details!
187182

188-
# Signed
183+
## Special thanks
184+
185+
Huge thanks to [Mercury][mercury] for funding the [first proposal][first proposal] and helping us reach this milestone - this library would not be in this state without their support. If you are an engineer looking for a savvy place to work, I hear they are [hiring][mercury hiring]!
186+
187+
## Signed
189188

190189
Leo Dillinger,
191190
Haskell Cryptography Group
@@ -202,6 +201,7 @@ Executive Director, Haskell Foundation
202201
- [Haskell Foundation][haskell foundation]
203202
- [Mercury][mercury]
204203
- [Mercury hiring][mercury hiring]
204+
- [Botan Github][botan github]
205205
- [botan-bindings][botan-bindings]
206206
- [botan-low][botan-low]
207207
- [botan][botan]
@@ -223,6 +223,8 @@ Executive Director, Haskell Foundation
223223

224224
[mercury hiring]: https://www.reddit.com/r/haskell/comments/1akeujj/comment/kp7g0rf/ "Mercury hiring"
225225

226+
[botan github]: https://github.com/haskell-cryptography/botan "Botan Github"
227+
226228
[botan-bindings]: https://hackage.haskell.org/package/botan-bindings-0.0.1.0 "botan-bindings"
227229

228230
[botan-low]: https://hackage.haskell.org/package/botan-low-0.0.1.0 "botan-low"

0 commit comments

Comments
 (0)