

Square Open-Sources Golang Crypto Package Based on JWE/JWS - bigmac
https://github.com/square/go-jose

======
AYBABTME
The cipher subpackage is importing a third party package
`github.com/apexskier/cryptoPadding` and uses only this part of it:

[https://github.com/apexskier/cryptoPadding/blob/master/pkcs7...](https://github.com/apexskier/cryptoPadding/blob/master/pkcs7.go)

I think it would be a good idea to avoid that otherwise small dependency with
some copy-pasta/vendoring.

~~~
antoncohen
Good point, but apexskier/cryptoPadding doesn't have any license info, so it
really shouldn't be used at all (importing, copying, or vendoring).

~~~
codezero
Dang, I was going to try to refute you by saying no license meant no
restrictions, but nope! Creators of software (and any written work apparently
[1]) are automatically granted copyright for their work (this makes sense) so
without a license, copying it would be a violation of copyright. That's wild,
but seems reasonable.

Posting it to Github isn't implicit permission, but it would probably be a
factor if the author did try to sue people for using his or her copyrighted
work without license/permission.

[1] [http://en.wikipedia.org/wiki/Open-
source_software#Open_softw...](http://en.wikipedia.org/wiki/Open-
source_software#Open_software_licensing)

~~~
dtwwtd
There's also apparently terms in the Github ToS that allow viewing and forking
of public projects regardless of license. What this means in a practical
sense, I'm not sure.

[https://help.github.com/articles/open-source-
licensing/#what...](https://help.github.com/articles/open-source-
licensing/#what-happens-if-i-dont-choose-a-license)

~~~
tptacek
It's pretty simple. In a practical sense it means that the author of any
license-free project on Github who finds their code used in other software
can, very cheaply, C&D the authors of those packages.

------
tptacek
If anyone was could publish a Golang crypto library I'd be inclined to trust,
it'd be Square, but I think you should probably avoid JOSE.

~~~
mjcohen
Why?

~~~
tptacek
Nothing to do with Javacript. JOSE is just very, very complicated. Until a few
months ago, I reviewed systems like this professionally, and none of the good
ones needed anything like the complexity of JOSE to solve their problems.

I'm automatically wary of meta-crypto-protocols. If it isn't designed against
a very specific problem statement, cryptography is almost invariably bad.

