On Fri, Aug 09, 2019 at 01:26:23PM +0200, François Kooman wrote: > On 09.08.19 12:19, Petr Pisar wrote: > Using a low level crypto library like OpenSSL is a bad idea for > developers. I thought you want to start using minisign because it's easier for code signing and verification than GnuPG. But now you are talking about some developers who don't know how to use OpenSSL library. I probably miss the point. If you want libsodium in Fedora and develop your code against it nobody prevents you from that. Just submit libsodium for a review and become its maintainer. > > Moreover, I cannot see how TLS is relevant to a code signing. > > It is not. OpenSSL is (according to the blog post linked) only the best > tool for doing TLS. For all other purposes it is not the best tool. So > introducing something like libsodium for non-TLS purposes seems like a > good thing to do! Especially if this means dropping the OpenSSL/GnuPG > dependency... > Except you now have to maintain yet another implementation of the eliptic curve cryptography as you already written: > I don't know what the reasons are for arguing against libsodium for > non-TLS crypto use cases, maybe the foreseen (long term) potential costs > in case libsodium would be added to RHEL, next to OpenSSL and GnuPG? > It's great for diversity and competitive evolution, but expensive for maintenance and required certifications when productizing it for an enterprise use. In my opinion it's cheaper to port and maintain minisign on OpenSSL than to maintain libsodium (whose only current use would be minisign). And if I (maybe worngly) assume that key and signature format of minisign is yet another format incompatible with other tools, you also lose interoperability. In my opinion for most people it's too big obstacle. I don't tell that D.J. Bernstein and others aren't very smart people and they do not produce high-quality code. I even don't deny that simple tools with a code optimized for one purpose are less error prone and easier for auditing. However, "Yeay, a new tool, let's use it" is not a long-term sustainable approach. New tools are attractive because now they don't have to maintain a balast of backward compatibility and dead code from evolved, repurposed, and forgotten features. SSLeay/libcrypt also was like that when it was young. I only forsee that the new shiny tools once become also old and crufty. That's inevitable. Therefore I do not share you optimism regarding libsodium and minisign future. That's all. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
