Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document vetting process for OpenDP library contributions #7

Open
pdurbin opened this issue Mar 19, 2021 · 1 comment
Open

Document vetting process for OpenDP library contributions #7

pdurbin opened this issue Mar 19, 2021 · 1 comment

Comments

@pdurbin
Copy link
Contributor

pdurbin commented Mar 19, 2021
edited
Loading

This week we had a meeting to discuss the vetting process for contributing to the OpenDP library. Of particular concern is contribution of new algorithms that would need to be vetted by someone with the appropriate expertise in mathematics and proofs.

We decided to review the contribution guidelines for a few open source projects that we feel are similar in spirit, that also have the need for extended vetting not just of code but of mathematical formulas. Specifically, we had in mind libraries that implement cryptography.

Using a list from Wikipedia as a starting point, I looked at three cryptography libraries I'd heard of and one (Crypto++) that caught my eye.

To summarize my findings:

  • From what I can tell, Bouncy Castle doesn't strongly encourage contributions. (I couldn't find a contributing guide on the Bouncy Castle website.)
  • Both OpenSSL and NSS encourage contribution but don't put particular emphasis on cryptographic code being different than other parts of the code. (See the OpenSSL contributing guide and the NSS code review checklist.)
  • Crypto++ at least indicates that contributions of features and enhancements can be "time consuming because algorithms and their test cases need to be reviewed and merged."1 (See "Source Code and Contributions" on the Crypto++ website.)

(If we'd like to review additional libraries, I started a spreadsheet for the ones above.)

In the course of this review, I came across FIPS 140 which is an official form of vetting from the U.S. government for cryptography. I don't believe we are looking for anything this formal.

Like Crypto++, OpenDP should communicate that contributing algorithms will get extra scrutiny. Other projects like OpenSSL don't seem to put emphasis on this point but it doesn't appear to be necessary.
@tercer
Copy link
Member

tercer commented Apr 6, 2021

SealPIR has a contributing section, that explicitly describes their contributing code of conduct:
https://github.com/microsoft/SealPIR

A separate contributing markdown has proven a useful feature of this repo (not crypto, but contributors from a dozen different universities/companies to build community infrastructure):
https://gitlab.com/datadrivendiscovery/automl-rpc
with https://gitlab.com/datadrivendiscovery/automl-rpc/-/blob/devel/CONTRIBUTING.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pdurbin @tercer