https://bugzilla.redhat.com/show_bug.cgi?id=1268716 --- Comment #12 from Stuart D Gathman <stuart@xxxxxxxxxxx> --- This is why cjd thinks we should continue using the embedded nacl library: Caleb J. Delisle writes in https://github.com/hyperboria/cjdns/issues/43#issuecomment-154882318 1. When I started cjdns, libsodium was a bit of a joke, if you wanted nacl you needed to use it. 2. Libsodium does not use the fastest implementations for each processor, instead it uses a single implementation which works on everything. 3. Cjdns/NaCl has a poly1305 implementation for mips32r2 processors which doubles the packet forwarding speed... It's written in assembly so it will never end up in Libsodium and probably not in the OpenWRT nacl. 4. Dynamic linking opens up some various types of security bullshit see: https://startpage.com/do/search?q=dynamic+linking+exploit 5. How much space savings it is really ? (is it even net-positive if there are no other applications using nacl?) 6. The more stuff which is external to cjdns that cjdns relies upon, the more possibility for bugs which only happen on certain systems. I program with the assumption that the environment is hostile. For example cjdns has it's own random generator, after what happened with Debian OpenSSL, I would immediately -1 any attempt to replace that with a dynamically linked source of random. Basically the nacl that I use on my laptop matches the one that you use and that makes the safety of cjdns easier to validate. When there is a big major security vulnerability and it is exposed, everyone is going to point at the one feature which caused it and say "ho ho ho, that was stupid!" but until that day comes, everybody is going to push and push for more features, more edge cases, more things which don't work for the original vision and every one that I let by will make the security model a little more complex, a little more nuanced and a little more difficult to validate. Until the day when one of them finally bites us. For what this claims to bring, I don't see value worth the pain it (and other features like it) will cause in the long term. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review