On Fri, May 25, 2018 at 12:07:06PM +0200, Tomas Mraz wrote: > > Because having millions of copies of SHA1, MD5, and SHA2 and .... in > millions of applications is the best thing. > > Now that's something I would call laziness - just copy the code and do > not care about doing the proper decision which crypto library to use. These algorithms are static and have test vectors. If you don't need hardware acceleration for your use case, and portability and reducing external dependencies are a priority, it's a very realistic engineering tradeoff. libext2fs has been ABI backwards compatible for 19 years (since the move from a.out to ELF shared libraries). OpenSSL can't keep ABI compatibility from one relase to another. You can't build ABI compatibility on top of shifting sands, so that's a really good reason for a library not to depend on OpenSSL (if you care about backwards compatibility, anyway). Also consider that sha512.o is only 4735 bytes. libxml2 has a size of 1.75 megabytes, so having my own version of sha512 is equivalent to 0.26% of libxml2. Using my own copy of sha512? 2.5 milli-libxml2's. Shared library ABI backwards compatibility? Priceless. (And I won't even get into the bloat-o-rama which is GNOME2....) - Ted