[zeromq-dev] Defaulting to tweetnacl?

Luca Boccassi luca.boccassi at gmail.com
Tue Mar 1 20:18:01 CET 2016


On 1 March 2016 at 18:45, Roland Fehrenbacher <rf at q-leap.de> wrote:
>>>>>> "F" == frank  <soundart at gmx.net> writes:
>
>     F> On 03/01/2016 02:51 PM, Roland Fehrenbacher wrote:
>     >>>>>>> "P" == Pieter Hintjens <ph at imatix.com> writes:
>     P> Frank, Thanks for your opinion. You hit it spot on, I think. It
>     P> is really a relief to have security by default without any
>     P> external packages.
>     >>
>     P> Roland, would this work? Package for Debian using libsodium?
>     >>
>     >> I'm a bit confused now. I thought the point of your original mail
>     >> was that tweetnacl will be the default from now on and kind of
>     >> substituting libsodium. If that is so, the suggested path for
>     >> Debian would be to drop libsodium in favor of tweetnacl as well,
>     >> with tweetnacl linked in as an external lib, just like libsodium
>     >> currently is.
>
>     F> Hi,
>
>     F> sorry for causing confusion.
>
>     F> I think the old default while building from source was "no
>     F> cryptolib".
>
>     F> If you want crypto you have now two options:
>
>     F> - libsodium
>     F> - tweetnacl
>
>     F> Which you can enable with flags to the build system of choice. (I
>     F> used cmake on linux/debian, but there are others too in libzmq)
>
>     F> Libsodium is probably the better solution, except for these two
>     F> points:
>     F> - it does not support cmake for building :)
>     F> - it requires you to install/compile it somehow seperately and
>     F>   make it
>     F> available to the libzmq build
>
>     F> I have tried getting cmake support into libsodium but the pull
>     F> request was rejected.  The second point is too complex for many
>     F> developers who work on systems not having apt-get.
>
>     F> libzmq3 on debian stable depends already on libsodium so has
>     F> already deviated from the upstream default configuration
>     F> (thanks!)  and enabled crypto. This (== using libsodium) is still
>     F> the right thing to do in my opinion.
>
> Thanks for this clarification. So does everybody agree on the following:
>
> - Use the included tweetnacl for build/compile convenience
> - Use libsodium for clean distribution type of builds
> - Technically, both variants are roughly equivalent in terms of
>   performance, stability and test exposure etc.

Thumbs up!

Not sure if my previous mail made it through, got a bounce back from
the mailer. But we have test coverage in the CI for both, and the API
is the same, so we can be reasonably sure we can support both.

Kind regards,
Luca Boccassi



More information about the zeromq-dev mailing list