Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1253744

Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms

From Michael Stone <mstone@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.devel
Subject Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms
Date 2025-07-24 03:40 +0200
Message-ID <LbT69-2bFn-1@gated-at.bofh.it> (permalink)
References (7 earlier) <LbRnH-2awS-1@gated-at.bofh.it> <LbSjL-2b8a-9@gated-at.bofh.it> <LbSD7-2bvv-17@gated-at.bofh.it> <LbfV8-1LWq-5@gated-at.bofh.it> <LbSD7-2bvv-17@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

On Wed, Jul 23, 2025 at 08:05:48PM -0500, Aaron Rainbolt wrote:
>One easy plausible example would be a benchmarking application that
>tested quantum-resistant algorithms as part of the tests it ran (say
>Phoronix Test Suite, not that it does that now but it could some day).

A benchmarking application that doesn't exist and which happens to only 
use the version in debian stable? That seems pretty unlikely, no?

>A communication application with experimental PQC support would be
>another example, and indeed if liboqs is intended to ever mature to
>something usable in a security-sensitive use case, it would make sense
>for people wanting to add PQC support to use liboqs now and then
>upgrade their PQC support to "not experimental" once the library was
>declared ready for security-sensitive use.

Or use a different library, right? That's a lot of "maybe in the 
futures" which assume that this library will someday become essential. 
If the support is experimental and it's a *communication application*, 
we're not likely to ship in enabled in stable, right?

>> Do you have actual examples of applications which need to use an
>> obsolete version of this (let's be honest, security sensitive) library
>> which is declared to be unstable? And the concern is that the library
>> will evolve to not build on stable debian, but the application will not?
>> This smells a lot more like rationalizing than addressing practical
>> concerns.
>
>This library in particular? No, but I've run into this situation with
>other software in the past, even in distros less stable than Debian.

So let's worry about it when it becomes a problem. We do have 
backports...

>I don't really see how the concerns you're expressing are practical,
>they seem to be "I don't understand why anyone would use this". The
>only practical concerns I can see are archive size (haven't heard any
>concerns that the archive is getting to big so far) or maintainership
>burden (there's someone interested in maintaining it for now and the
>project doesn't look massive), and both of those concerns apply to
>every package in the archive. There are people actively interested in
>both packaging and using liboqs in this thread, if I'm understanding
>correctly, so "why would anyone use this" doesn't make sense as an
>argument to me.

No, the concerns are about shipping a *security sensitive library* in 
stable (so it needs to last for *years*) when the upstream specifically 
says not to do that. So far I haven't seen *any* strong reason to make 
that (IMO) really bad decision which would be biting us in 2030 or later.

Back to linux.debian.bugs.dist | Previous | NextPrevious in thread | Find similar

Thread

Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Hector Oron Martinez <zumbi@debian.org> - 2025-07-22 09:50 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Andrius Merkys <andrius.merkys@gmail.com> - 2025-07-22 10:20 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Hector Oron <zumbi@debian.org> - 2025-07-22 11:30 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-22 11:30 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Andreas Metzler <ametzler@bebt.de> - 2025-07-23 06:50 +0200
    Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Hector Oron <zumbi@debian.org> - 2025-07-23 13:10 +0200
      Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Andreas Metzler <ametzler@bebt.de> - 2025-07-23 18:40 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-23 13:00 +0200
    Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Hector Oron <zumbi@debian.org> - 2025-07-23 13:20 +0200
      Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-23 13:40 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-24 00:00 +0200
    Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Andreas Metzler <ametzler@bebt.de> - 2025-07-24 19:20 +0200
      Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-25 10:20 +0200
        Re: Bug#1109697: ITP: liboqs -- library for quantum-safe  cryptographic algorithms Andreas Metzler <ametzler@bebt.de> - 2025-07-25 19:20 +0200
          Re: Bug#1109697: ITP: liboqs -- library for quantum-safe  cryptographic algorithms Simon Josefsson <simon@josefsson.org> - 2025-07-26 10:00 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Michael Stone <mstone@debian.org> - 2025-07-24 01:20 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Michael Stone <mstone@debian.org> - 2025-07-24 02:50 +0200
  Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms Michael Stone <mstone@debian.org> - 2025-07-24 03:40 +0200

csiph-web