libecc

[Stéphane Neveu]

Hi Lukas and team

>
>> Moreover, it should be noted that even the most popular libraries
>> still suffer from attacks of this type: (...)
>
> While that's certainly true, I think the relevant question is, whether
> libecc and its devs/community can provide a sufficient level of:
> * protection against known (side channel) attacks
> * support in fixing any discovered vulnerabilities
>
> I'm aware that this is much harder to achieve for a new project
> compared to widely used and long established projects.  With the devs
> confirming that they have not (extensively) tested the constant time of
> the (compiled) algorithms, I'd prefer to give the libecc project a bit
> more time before packaging it for Debian.
>

I have to agree with you, on the other hand I also think that exposing
a new lib throught Debian could bring more feedback to the dev team
and they maybe would achieve some good results...

> However, since you seem to want to go ahead and upstream was quite
> responsive

I also hope they are responsive !

 I'll work with you on it provided that one of the DDs here
> is willing to upload it eventually.
>

Thanks :)

>
> DDs: What do you think regarding packaging that library?  Would you
>      sponsor libecc (once packaging has reached sufficient quality)?
>
>
> In the meantime, you should fix the owner of the ITP bug as I remarked
> in my previous mail.  And I'm still curious: Is there a specific need
> for that library? Is there something you want to package that uses it?

ITP fixed :)
Actually, I have no special needs for it, I've just seen a
presentation on it few month ago and found the code was pretty clean
to me. In fact, I just wanted to help and maybe push a new ECC lib
into Debian but now I'm doubting :)

>
> Regards
> Lukas

Best regards,

Stephane