https://bugzilla.redhat.com/show_bug.cgi?id=2394931
--- Comment #21 from Carlos Rodriguez-Fernandez <[email protected]> --- (In reply to Simo Sorce from comment #20) > (In reply to Carlos Rodriguez-Fernandez from comment #18) > > Simo Sorce, > > > > I understand the concerns but I believe there are good reasons to keep it in > > Fedora. > > > > It is a popular library that our users can use[1], and making it available > > allows other packages depending on it to use it or even be incorporated for > > the first time into Fedora. The version 3 in particular is already making > > its way into other distros[2] like Alpine, Debian, Gentoo or OpenSUSE. > > > > > > [1] https://en.wikipedia.org/wiki/Botan_(programming_library) > > [2] https://repology.org/project/botan/versions > > about 1) it is here only because Thunderbird dragged it in, it is not really > popular, and I wish it remained confined to Thunderbird, and possibly > replaced by sequoia which does offer an RNP interface IIRC. > > Other users should *not use* (if at all possible) crypto libraries that are > not quality tested by us, do not integrate with fedora crypto policies, and > for which I still do not have answers about TLS integration testing and > certificate management. > > Proliferation of critical security components is *not* a good thing for us. > There is absolutely zero need for yet another implementation of TLS and all > the cryptography when it brings no additional security, as they do not use a > memory safe language, do not seem to have strict conformance test, nor is > the code hardened against side channels. > > In fact, as it stands, this library is a pure liability for us and it's use > should be discouraged in Fedora, not promoted. Simo, as far as I understand Fedora is not a development framework, ... it is a distribution for users. How can the statement that "there must be only one library for TLS" be a strong reason why to block any other library that does TLS (botan doesn't just do TLS)? Does this also apply to all the other libraries that give alternative to a functionality? -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2394931 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202394931%23c21 -- _______________________________________________ package-review mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
