I reviewed libsodium version 1.0.8-5 as checked into xenial, looking for any deviations from Seth's original review since this is a different version.
- No CVE history in our database - libsodium provides a programmer- and packager-friendly library around the NaCl family of cryptography APIs. - Depends: debhelper, pkg-config, dh-autoreconf - Does not itself do networking - Extensive cryptopgrahy - Does not daemonize - No pre/post inst/rm - No init scripts - No dbus services - No setuid files - No binaries in the PATH - No sudo fragments - No udev rules - A test suite is run during the build - No cron jobs - Clean build logs - No subprocesses spawned - Memory management is very careful. - Does not itself do file IO beyond /dev/random or /dev/urandom - No logging - No environment variable use - No privileged functions - No networking - No privileged portions of code - No temp files - No WebKit - No PolKit - Extensive cppcheck warnings; manual inspection of randomly selected issues suggests failings in cppcheck (doesn't understand uint128_t and assumes it is 32-bits wide so falsely flags bit shifts of 32-bits or larger of this as errors) Security team ACK for promoting libsodium to main for Xenial / Trusty. ** Changed in: libsodium (Ubuntu Trusty) Status: New => In Progress ** Changed in: libsodium (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1621386 Title: [MIR] libsodium To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libsodium/+bug/1621386/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs