[zeromq-dev] Defaulting to tweetnacl?
Pieter Hintjens
ph at imatix.com
Mon Feb 29 19:19:32 CET 2016
True, there is no source repo and no explicit license. The site
https://tweetnacl.cr.yp.to/ states that the software is "public
domain" which is a solid enough statement IMO to use the source code.
I suspect the best solution is to create a proper repo for tweetnacl,
with a license. We could then remove the packaged code from libzmq and
make an external dependency.
As for timely updates, yes, of course.
-Pieter
On Mon, Feb 29, 2016 at 6:46 PM, Roland Fehrenbacher <rf at q-leap.de> wrote:
>>>>>> "L" == Luca Boccassi <luca.boccassi at gmail.com> writes:
>
> Hi all,
>
> sorry for being a bit late to this discussion.
>
> L> On Feb 10, 2016 22:41, "Pieter Hintjens" <ph at imatix.com> wrote:
> >>
> >> Hi all,
> >>
> >> I'd like to start moving to tweetnacl as the default when
> >> building libzmq. This means, no separate install of libsodium,
> >> and encryption built in by default. We can still have a
> >> --with-libsodium and --without-curve at configure time.
> >>
> >> Does anyone have a problem with this? It will not change anything
> >> significant in terms of performance nor interoperability. Just
> >> easier builds.
>
> While bringing some convenience, I think it's bad practice to bundle
> external code in one's own project. Most strongly, this applies to
> heavily security related stuff like an encryption library, IMHO.
> Will ZMQ provide timely security fixes for tweetnacl?
>
> L> As long as libsodium remains supported I don't think it is a
> L> problem. Bear in mind that distributions like Debian will most
> L> likely use libsodium, because even though it is allowed, it is
> L> strongly discouraged to ship statically linked binaries, and it
> L> makes the mainteiners life harder. See: https://
> L> wiki.debian.org/StaticLinking
>
> This is the second important point: While with the bundling of the C
> Code you won't have statically linked binaries, from the distribution
> point of view, Debian maintainers will have to strip out the bundled
> code and create a so called DFSG source package.
>
> On another note: A weird thing about tweetnacl is, that it doesn't even
> have a license, making it hard to include it into Debian e.g. I also
> can't find a public source repo.
>
> If the latter two points were resolved, I could create an official tweetnacl
> Debian package, bringing back some convenience from the "code bundling
> approach".
>
> Best,
>
> Roland
>
> -------
> http://www.q-leap.com / http://qlustar.com
> --- HPC / Storage / Cloud Linux Cluster OS ---
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list