[zeromq-dev] Defaulting to tweetnacl?

Luca Boccassi luca.boccassi at gmail.com
Tue Mar 1 15:58:47 CET 2016

On Mar 1, 2016 13:51, "Roland Fehrenbacher" <rf at q-leap.de> wrote:
> >>>>> "P" == Pieter Hintjens <ph at imatix.com> writes:
>     P> Frank, Thanks for your opinion. You hit it spot on, I think. It
>     P> is really a relief to have security by default without any
>     P> external packages.
>     P> Roland, would this work? Package for Debian using libsodium?
> I'm a bit confused now. I thought the point of your original mail was
> that tweetnacl will be the default from now on and kind of substituting
> libsodium. If that is so, the suggested path for Debian would be to drop
> libsodium in favor of tweetnacl as well, with tweetnacl linked in as an
> external lib, just like libsodium currently is.
> If on the other hand you decided to keep tweetnacl in the zmq code, for
> Debian, one would have to drop that part (DFSG modified source as
> mentioned before) and create patches that make zmq build fine with an
> external tweetnacl.
> Alternatively, you could probably say "What the heck
> with tweetnacl: We fully integrate it into zmq, respect the copyright
> and otherwise treat it, as if it was an original part of zmq from the
> beginning". I don't see why Debian couldn't live with this. So the only
> hurdle for this approach would probably be, to get the consent of the
> original authors.
> Please enlighten me, if I'm on a completely wrong track.


I'm CC'ing Laszlo, the Debian maintainer, as I think this discussion will
be of interest to him.

Roland, being a DM, I shared your same concerns.

First of all, when the switch happened, I made sure that our CI still does
a test run using libsodium instead of tweetnacl, so that support for it
never suffers from bitrot and silently breaks. You can switch between the 2
with a compile time option, and again this is exercised by the CI. The API
being compatible, we can support both as long as the build system doesn't
break. No need for additional patches.

Then, tweetnacl code already became part of the libzmq source tree, so it's
not simply a library statically linked in. As part of this, it was slightly
changed and relicensed under the same license as the libzmq library. I am
not an expert on this subject, but Pieter was kind enough to explain to me
that this is allowed, since the original work is in the public domain, so
changing and re licensing can be done.

Given this, I don't believe packaging for distributions will be a problem.
Mainteiners can choose to either DFSG the source tree and take out the
tweetnacl modules and use libsodium instead, or to use the default
configuration with tweetnacl.

Please correct my assumptions and conclusions if I am wrong :-)

Kind regards,
Luca Boccassi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20160301/f5b15c91/attachment.htm>

More information about the zeromq-dev mailing list