On Sun, Apr 30, 2023 at 10:11 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > On Sun, Apr 30, 2023 at 4:05 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > > > On Sun, Apr 30, 2023 at 7:01 AM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > > > On Fri, Nov 4, 2022 at 4:25 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote: > > > > > > > > Hello, > > > > > > > > During package review of the fiat-crypto Rust library, I noticed that > > > > it contains an implementation of an elliptic curve (p434) which isn't > > > > mentioned on the "good" list here: > > > > https://fedoraproject.org/wiki/Legal:ECC > > > > > > > > I also can't find any references or sources for this curve (search > > > > results for P-434, p434, and curve434 all come up empty). The only > > > > mention of "p434" with respect to cryptography is in this Microsoft > > > > project: https://github.com/microsoft/PQCrypto-SIDH > > > > > > > > And looking at the source code, I'm not even sure whether the P-434 > > > > curve in fiat-crypto is at all related to SIKEp434 / SIDHp434 schemes > > > > that are mentioned there, other than the fact that they happen to be > > > > based on the same prime number (2^216 * 3^137 - 1). > > > > > > > > Given that there's no mention of any elliptic curves that use p434 on > > > > the internet (that I could find), is it OK to ship it in a Fedora > > > > package, or do we need to remove it from the sources? > > > > > > > > ref. https://bugzilla.redhat.com/show_bug.cgi?id=2005536 > > > > > > The linked package review is still blocked by this issue six months later :( > > > Any idea what I can do to move this forward? > > > > Unfortunately I am pretty sure it won't be possible to get a > > resolution on this any time soon. > > Ok, so ... I'm pretty sure we actually don't *need* the affected code. > Would removing all p434 related code from the sources entirely (to be > on the safe side), and building the package without support for this > curve, be an acceptable solution until the legal status is cleared up? Yes, that's an acceptable solution in the meantime. Richard _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
