C2SP VS melpa

Age is a modern, respected crypto solution: https://github.com/C2SP/C2SP/blob/main/age.md

Argon2 is the best choice, but scrypt may be more easily available: https://github.com/C2SP/C2SP/issues/10

Hi! I read and appreciated your issues and discussions, sorry I didn't get to respond to them yet, but I've been thinking about it.

Although I don't disagree that parsing text is hard, I also think that parsing variable-size binary formats is hard (and there is a tall, tall pile of bugs to confirm that). Really, parsing is hard. Rather than count on one design or the other to be bug-proof, I worked on a large test suite to help implementations catch their parsing bugs. [https://c2sp.org/CCTV/age] I think it would have found one of the issues you reported if that implementation had integrated it, and I am going to add vectors for various resource exhaustion scenarios which I hope would have found the other. (I am not going to look at what it is exactly, so I will know if I made the suite comprehensive enough without being too specific about this bug.)

I also liked your observation that it would have been nice if the header was streamable. [https://github.com/C2SP/C2SP/issues/28] It went on the pile labeled "regrets / for v2 when it comes", thank you.

I think it's ironic that you imply a "dozen of immature crypto libraries" are used in the Age spec. It's quite the opposite and the Age spec provides a reduction in so-called "yolo crypto" versus the OpenPGP spec. See: https://github.com/C2SP/C2SP/blob/main/age.md and also give https://latacora.micro.blog/2019/07/16/the-pgp-problem.html# for a pretty accurate overview of what's wrong with OpenPGP.

… okay, then look at the spec, which is beautifully simple: https://github.com/C2SP/C2SP/blob/main/age.md#the-scrypt-rec...

I had the same question. I believe it refers to “Actually Good Encryption” (https://github.com/C2SP/C2SP/blob/main/age.md).

Watch the new pull requests to melpa: https://github.com/melpa/melpa/pulls

(require 'package) (add-to-list 'package-archives '("melpa" . "https://melpa.org/packages/") t) (package-initialize) (package-install 'use-package) (use-package exec-path-from-shell :ensure t :config (exec-path-from-shell-initialize)))

MELPA is definitely the biggest package archive, probably mostly on account of the lower barrier to entry compared to GNU ELPA (maybe the difference would have been less pronounced if NonGNU ELPA had been there from the beginning, but one can only speculate). MELPA has its own requirements for packages, but indeed copyright assignment to the FSF is not one of them.

I would suggest to start at reading the manual first. Then I would recommend reading the Melpa guidance, even if you do not plan to contribute your package to Melpa, since it contains very useful info about linting, writing your code etc.

The mxtoolbox link checks for SMTP blacklisting.. People won't be able to send mail from host with the IP address 178.128.185.1(which is the melpa.org webserver, not their mailserver, so everything's fine there).

Xah asked for his packages to be removed from MELPA a while back: https://github.com/melpa/melpa/issues/7755

Observe that package.el compile files when they are installed, and they are not compiled in any particular order (actually whatever directory-files returns, which is what OS returns). So if you have multiple files that depend on each other, it is something to think of. There are also some guidelines on how to structure your project on Melpa.