[zeromq-dev] Defaulting to tweetnacl?

Jim Garlick garlick at llnl.gov
Tue Mar 1 21:34:26 CET 2016


On Tue, Mar 01, 2016 at 07:45:38PM +0100, Roland Fehrenbacher wrote:
> Thanks for this clarification. So does everybody agree on the following:
> 
> - Use the included tweetnacl for build/compile convenience
> - Use libsodium for clean distribution type of builds
> - Technically, both variants are roughly equivalent in terms of
>   performance, stability and test exposure etc.

-1

I thought you made a strong point here Roland:

> While bringing some convenience, I think it's bad practice to bundle
> external code in one's own project. Most strongly, this applies to
> heavily security related stuff like an encryption library, IMHO.
> Will ZMQ provide timely security fixes for tweetnacl?

Let crypto people maintain crypto libs, and distro people worry about
pushing out security updates whenever possible.

It at least seems wrong to have libzmq silently use builtin tweetnacl if
libsodium is not found, as that might lead to people not getting the
robust build they intended.

Jim



More information about the zeromq-dev mailing list