[zeromq-dev] Defaulting to tweetnacl?
Roland Fehrenbacher
rf at q-leap.de
Mon Feb 29 18:46:37 CET 2016
>>>>> "L" == Luca Boccassi <luca.boccassi at gmail.com> writes:
Hi all,
sorry for being a bit late to this discussion.
L> On Feb 10, 2016 22:41, "Pieter Hintjens" <ph at imatix.com> wrote:
>>
>> Hi all,
>>
>> I'd like to start moving to tweetnacl as the default when
>> building libzmq. This means, no separate install of libsodium,
>> and encryption built in by default. We can still have a
>> --with-libsodium and --without-curve at configure time.
>>
>> Does anyone have a problem with this? It will not change anything
>> significant in terms of performance nor interoperability. Just
>> easier builds.
While bringing some convenience, I think it's bad practice to bundle
external code in one's own project. Most strongly, this applies to
heavily security related stuff like an encryption library, IMHO.
Will ZMQ provide timely security fixes for tweetnacl?
L> As long as libsodium remains supported I don't think it is a
L> problem. Bear in mind that distributions like Debian will most
L> likely use libsodium, because even though it is allowed, it is
L> strongly discouraged to ship statically linked binaries, and it
L> makes the mainteiners life harder. See: https://
L> wiki.debian.org/StaticLinking
This is the second important point: While with the bundling of the C
Code you won't have statically linked binaries, from the distribution
point of view, Debian maintainers will have to strip out the bundled
code and create a so called DFSG source package.
On another note: A weird thing about tweetnacl is, that it doesn't even
have a license, making it hard to include it into Debian e.g. I also
can't find a public source repo.
If the latter two points were resolved, I could create an official tweetnacl
Debian package, bringing back some convenience from the "code bundling
approach".
Best,
Roland
-------
http://www.q-leap.com / http://qlustar.com
--- HPC / Storage / Cloud Linux Cluster OS ---
More information about the zeromq-dev
mailing list