Sorry, I was slightly forgetting the details too; Frank's email cleared it up.
There is no point in using an external tweetnacl. If you want an external security package, build with --with-libsodium. This disables the built-in tweetnacl and gives you the external dependency you want as package maintainer. Meanwhile for users of git or tarballs get security by default without any extra dependencies, which is a major win. In terms of the license, given that the tweetnacl site declares "public domain", and that it is a single source file (plus header) I've no problem incorporating the code into libzmq. The only downside is we'd have to patch it if there's a security fix. That is actually easier if we control the code than if we don't. -Pieter On Tue, Mar 1, 2016 at 2:51 PM, Roland Fehrenbacher <r...@q-leap.de> wrote: >>>>>> "P" == Pieter Hintjens <p...@imatix.com> writes: > > P> Frank, Thanks for your opinion. You hit it spot on, I think. It > P> is really a relief to have security by default without any > P> external packages. > > P> Roland, would this work? Package for Debian using libsodium? > > I'm a bit confused now. I thought the point of your original mail was > that tweetnacl will be the default from now on and kind of substituting > libsodium. If that is so, the suggested path for Debian would be to drop > libsodium in favor of tweetnacl as well, with tweetnacl linked in as an > external lib, just like libsodium currently is. > > If on the other hand you decided to keep tweetnacl in the zmq code, for > Debian, one would have to drop that part (DFSG modified source as > mentioned before) and create patches that make zmq build fine with an > external tweetnacl. > > Alternatively, you could probably say "What the heck > with tweetnacl: We fully integrate it into zmq, respect the copyright > and otherwise treat it, as if it was an original part of zmq from the > beginning". I don't see why Debian couldn't live with this. So the only > hurdle for this approach would probably be, to get the consent of the > original authors. > > Please enlighten me, if I'm on a completely wrong track. > > Roland > > ------- > http://www.q-leap.com / http://qlustar.com > --- HPC / Storage / Cloud Linux Cluster OS --- > > P> On Tue, Mar 1, 2016 at 12:03 PM, frank <sound...@gmx.net> wrote: > >> Hi, > >> > >> I added tweetnacl to libzmq in 2014 and would like to add my > >> opinion too. > >> > >> tweetnacl as it is integrated now is very nice for people > >> starting with compiling from source e.g. developers using higher > >> level languages like python and requiring latest code changes. > >> - it will just work and produce not too many problems. > >> > >> Removing tweetnacl from the libzmq source distribution and using > >> e.g. a tweetnacl debian package for debian libzmq will hurt in > >> two ways: > >> > >> - There will be again libzmq builds without encryption at all > >> - libzmq on debian will not use libsodium and probably have a > >> slower libzmq > >> > >> So i would say: > >> > >> - Make tweetnacl default for source builds and leave it inside > >> the > >> libzmq tar ball. > >> - Add a recommendation to the documentation advising people > >> producing > >> binary packages to link to libsodium > >> > >> kind regards Frank > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> _______________________________________________ zeromq-dev > >> mailing list zeromq-dev@lists.zeromq.org > >> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > P> _______________________________________________ zeromq-dev > P> mailing list zeromq-dev@lists.zeromq.org > P> http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > -- > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev _______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev
