On Sun, Apr 30, 2023 at 4:05 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > On Sun, Apr 30, 2023 at 7:01 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > On Fri, Nov 4, 2022 at 4:25 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > > > Hello, > > > > > > During package review of the fiat-crypto Rust library, I noticed that > > > it contains an implementation of an elliptic curve (p434) which isn't > > > mentioned on the "good" list here: > > > https://fedoraproject.org/wiki/Legal:ECC > > > > > > I also can't find any references or sources for this curve (search > > > results for P-434, p434, and curve434 all come up empty). The only > > > mention of "p434" with respect to cryptography is in this Microsoft > > > project: https://github.com/microsoft/PQCrypto-SIDH > > > > > > And looking at the source code, I'm not even sure whether the P-434 > > > curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes > > > that are mentioned there, other than the fact that they happen to be > > > based on the same prime number (2^216 * 3^137 - 1). > > > > > > Given that there's no mention of any elliptic curves that use p434 on > > > the internet (that I could find), is it OK to ship it in a Fedora > > > package, or do we need to remove it from the sources? > > > > > > ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536 > > > > The linked package review is still blocked by this issue six months later :( > > Any idea what I can do to move this forward? > > Unfortunately I am pretty sure it won't be possible to get a > resolution on this any time soon. Ok, so ... I'm pretty sure we actually don't *need* the affected code. Would removing all p434 related code from the sources entirely (to be on the safe side), and building the package without support for this curve, be an acceptable solution until the legal status is cleared up? All other elliptic curves that are supported by the package are explicitly listed as OK in the docs. Fabio _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
