libecc
Stéphane Neveu
stefneveu at gmail.com
Mon Sep 4 19:03:58 UTC 2017
Hi Lukas and team
>
>> Moreover, it should be noted that even the most popular libraries
>> still suffer from attacks of this type: (...)
>
> While that's certainly true, I think the relevant question is, whether
> libecc and its devs/community can provide a sufficient level of:
> * protection against known (side channel) attacks
> * support in fixing any discovered vulnerabilities
>
> I'm aware that this is much harder to achieve for a new project
> compared to widely used and long established projects. With the devs
> confirming that they have not (extensively) tested the constant time of
> the (compiled) algorithms, I'd prefer to give the libecc project a bit
> more time before packaging it for Debian.
>
I have to agree with you, on the other hand I also think that exposing
a new lib throught Debian could bring more feedback to the dev team
and they maybe would achieve some good results...
> However, since you seem to want to go ahead and upstream was quite
> responsive
I also hope they are responsive !
I'll work with you on it provided that one of the DDs here
> is willing to upload it eventually.
>
Thanks :)
>
> DDs: What do you think regarding packaging that library? Would you
> sponsor libecc (once packaging has reached sufficient quality)?
>
>
> In the meantime, you should fix the owner of the ITP bug as I remarked
> in my previous mail. And I'm still curious: Is there a specific need
> for that library? Is there something you want to package that uses it?
ITP fixed :)
Actually, I have no special needs for it, I've just seen a
presentation on it few month ago and found the code was pretty clean
to me. In fact, I just wanted to help and maybe push a new ECC lib
into Debian but now I'm doubting :)
>
> Regards
> Lukas
Best regards,
Stephane
More information about the Pkg-security-team
mailing list