[zeromq-dev] Defaulting to tweetnacl?
Pieter Hintjens
ph at imatix.com
Tue Mar 1 16:31:07 CET 2016
Sorry, I was slightly forgetting the details too; Frank's email cleared it up.
There is no point in using an external tweetnacl. If you want an
external security package, build with --with-libsodium. This disables
the built-in tweetnacl and gives you the external dependency you want
as package maintainer.
Meanwhile for users of git or tarballs get security by default without
any extra dependencies, which is a major win.
In terms of the license, given that the tweetnacl site declares
"public domain", and that it is a single source file (plus header)
I've no problem incorporating the code into libzmq. The only downside
is we'd have to patch it if there's a security fix. That is actually
easier if we control the code than if we don't.
-Pieter
On Tue, Mar 1, 2016 at 2:51 PM, Roland Fehrenbacher <rf at q-leap.de> wrote:
>>>>>> "P" == Pieter Hintjens <ph at imatix.com> writes:
>
> P> Frank, Thanks for your opinion. You hit it spot on, I think. It
> P> is really a relief to have security by default without any
> P> external packages.
>
> P> Roland, would this work? Package for Debian using libsodium?
>
> I'm a bit confused now. I thought the point of your original mail was
> that tweetnacl will be the default from now on and kind of substituting
> libsodium. If that is so, the suggested path for Debian would be to drop
> libsodium in favor of tweetnacl as well, with tweetnacl linked in as an
> external lib, just like libsodium currently is.
>
> If on the other hand you decided to keep tweetnacl in the zmq code, for
> Debian, one would have to drop that part (DFSG modified source as
> mentioned before) and create patches that make zmq build fine with an
> external tweetnacl.
>
> Alternatively, you could probably say "What the heck
> with tweetnacl: We fully integrate it into zmq, respect the copyright
> and otherwise treat it, as if it was an original part of zmq from the
> beginning". I don't see why Debian couldn't live with this. So the only
> hurdle for this approach would probably be, to get the consent of the
> original authors.
>
> Please enlighten me, if I'm on a completely wrong track.
>
> Roland
>
> -------
> http://www.q-leap.com / http://qlustar.com
> --- HPC / Storage / Cloud Linux Cluster OS ---
>
> P> On Tue, Mar 1, 2016 at 12:03 PM, frank <soundart at gmx.net> wrote:
> >> Hi,
> >>
> >> I added tweetnacl to libzmq in 2014 and would like to add my
> >> opinion too.
> >>
> >> tweetnacl as it is integrated now is very nice for people
> >> starting with compiling from source e.g. developers using higher
> >> level languages like python and requiring latest code changes.
> >> - it will just work and produce not too many problems.
> >>
> >> Removing tweetnacl from the libzmq source distribution and using
> >> e.g. a tweetnacl debian package for debian libzmq will hurt in
> >> two ways:
> >>
> >> - There will be again libzmq builds without encryption at all
> >> - libzmq on debian will not use libsodium and probably have a
> >> slower libzmq
> >>
> >> So i would say:
> >>
> >> - Make tweetnacl default for source builds and leave it inside
> >> the
> >> libzmq tar ball.
> >> - Add a recommendation to the documentation advising people
> >> producing
> >> binary packages to link to libsodium
> >>
> >> kind regards Frank
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> _______________________________________________ zeromq-dev
> >> mailing list zeromq-dev at lists.zeromq.org
> >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> P> _______________________________________________ zeromq-dev
> P> mailing list zeromq-dev at lists.zeromq.org
> P> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> --
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list