[zeromq-dev] Defaulting to tweetnacl?

Roland Fehrenbacher rf at q-leap.de
Mon Feb 29 19:36:30 CET 2016


>>>>> "P" == Pieter Hintjens <ph at imatix.com> writes:

    P> True, there is no source repo and no explicit license. The site
    P> https://tweetnacl.cr.yp.to/ states that the software is "public
    P> domain" which is a solid enough statement IMO to use the source
    P> code.

    P> I suspect the best solution is to create a proper repo for
    P> tweetnacl, with a license. We could then remove the packaged code
    P> from libzmq and make an external dependency.

That's what I thought too. Do you want to create the repo? I'd create
one for packaging on debian.org and clone it on our github page. If
you're happy with that, I would provide write access to the latter, and
we could use it as the main repo. Concerning the license: Might be a
good idea, to choose one for this repo and then contact the original
authors, to ask whether they're happy with it.

    P> As for timely updates, yes, of course.

That's a statement. If we can get the original authors involved, it
would make things easier.

Roland

-------
http://www.q-leap.com / http://qlustar.com
          --- HPC / Storage / Cloud Linux Cluster OS ---


    P> On Mon, Feb 29, 2016 at 6:46 PM, Roland Fehrenbacher
    P> <rf at q-leap.de> wrote:
    >>>>>>> "L" == Luca Boccassi <luca.boccassi at gmail.com> writes:
    >>
    >> Hi all,
    >>
    >> sorry for being a bit late to this discussion.
    >>
    L> On Feb 10, 2016 22:41, "Pieter Hintjens" <ph at imatix.com> wrote:
    >> >>
    >> >> Hi all,
    >> >>
    >> >> I'd like to start moving to tweetnacl as the default when
    >> >> building libzmq. This means, no separate install of libsodium,
    >> >> and encryption built in by default. We can still have a
    >> >> --with-libsodium and --without-curve at configure time.
    >> >>
    >> >> Does anyone have a problem with this? It will not change
    >> >> anything significant in terms of performance nor
    >> >> interoperability. Just easier builds.
    >>
    >> While bringing some convenience, I think it's bad practice to
    >> bundle external code in one's own project. Most strongly, this
    >> applies to heavily security related stuff like an encryption
    >> library, IMHO.  Will ZMQ provide timely security fixes for
    >> tweetnacl?
    >>
    L> As long as libsodium remains supported I don't think it is a
    L> problem. Bear in mind that distributions like Debian will most
    L> likely use libsodium, because even though it is allowed, it is
    L> strongly discouraged to ship statically linked binaries, and it
    L> makes the mainteiners life harder. See: https://
    L> wiki.debian.org/StaticLinking
    >>
    >> This is the second important point: While with the bundling of
    >> the C Code you won't have statically linked binaries, from the
    >> distribution point of view, Debian maintainers will have to strip
    >> out the bundled code and create a so called DFSG source package.
    >>
    >> On another note: A weird thing about tweetnacl is, that it
    >> doesn't even have a license, making it hard to include it into
    >> Debian e.g. I also can't find a public source repo.
    >>
    >> If the latter two points were resolved, I could create an
    >> official tweetnacl Debian package, bringing back some convenience
    >> from the "code bundling approach".
    >>
    >> Best,
    >>
    >> Roland
    >>
    >> ------- http://www.q-leap.com / http://qlustar.com
    >> --- HPC / Storage / Cloud Linux Cluster OS ---
    >> _______________________________________________ zeromq-dev
    >> mailing list zeromq-dev at lists.zeromq.org
    >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
    P> _______________________________________________ zeromq-dev
    P> mailing list zeromq-dev at lists.zeromq.org
    P> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list