Skip to content

Expectation setting for e_sqlcipher

Eric Sink edited this page May 12, 2021 · 1 revision

When I publish nuget packages for SQLitePCLRaw, included are builds of SQLite and SQLCipher. To distinguish these builds from other builds from other sources, I prefix the name with e_. So I refer to these builds as e_sqlite3 and e_sqlcipher.

It is important to note that I treat e_sqlite3 and e_sqlcipher very differently. I consider it important that e_sqlite3 builds are kept current (although I admit I don't always meet that standard). But e_sqlcipher on the other hand? Well...

SQLCipher is basically "SQLite, except with support for encryption". It is developed and maintained by a company called Zetetic. They release their code as open source, but they charge money for builds, with support included.

Since the SQLCipher code is open source, and because Zetetic does not distribute builds free of charge, sometimes other people do so. Currently, I am one of those people, and I am kinda unhappy about that.

Why then do I maintain e_sqlcipher builds? Inertia, mostly.

How did I get myself into this unfortunate situation? Years ago, the SQLCipher builds for SQLitePCLRaw were maintained by another company (Couchbase). When they stopped using SQLitePCLRaw in favor of another approach, I foolishly decided to just keep maintaining their builds myself. And so here we are.

I always refer to e_sqlcipher builds as unofficial and unsupported. I don't update them from upstream as often as I do for e_sqlite3.

When I get to this point of my rant, somebody usually says, "Well maybe if you charged money for e_sqlcipher builds then you would be happier about it."

Hey, that's a great idea. But anybody who actually pays for builds is going to expect support, so I would have to do that too. And I'm not a crypto expert. Also, er, I don't actually use SQLCipher in my projects, and I never have. If I did, I would buy supported builds from Zetetic.

Therefore, here are my terms: I will provide support for e_sqlcipher builds at a price that is three times whatever Zetetic charges. I will give one third of the proceeds to Zetetic, and one third to charity, and keep one third for myself. Every time you ask me a question, I will forward it to Zetetic and then forward you their answer. You must sign a notarized document indicating that you understand that (1) Zetetic's answers cannot possibly become more correct as they pass through my desk, (2) my e_sqlcipher builds are slower and less up-to-date and probably less secure than the ones maintained by Zetetic, who are, er, you know, the actual SQLCipher developers.

To be clear, I have no financial or legal connection with Zetetic. But I have interacted with their folks on numerous occasions, and doing so has always been a pleasure.

If you are using SQLitePCLRaw and you need encryption, you REALLY should buy supported builds from Zetetic. Their builds work well with SQLitePCLRaw, and they cooperate with me to make sure of that.

At some point I will probably just stop maintaining e_sqlcipher. But today is not that day. Because inertia.

But for as long I do continue these e_sqlcipher builds, I am committed to doing a mediocre job of it.