libecc
Lukas Schwaighofer
lukas at schwaighofer.name
Sun Aug 27 12:04:14 UTC 2017
Hi Stéphane,
I'm adding pkg-security-team to CC since this is to be a
team-maintained package.
On Tue, 15 Aug 2017 13:49:06 +0200
Stéphane Neveu <stefneveu at gmail.com> wrote:
> I'm writing you this email because I'm working on a new package :
> libecc (a C library for elliptic curves based cryptography).
I just looked for the ITP and found it [1]. Note that the Owner is not
recorded properly because there is a line break between the team name
and the e-mail address in the Owner: pseudo header. Please use the
control interface to update the owner of that bug.
When searching for existing packages, I found a few things that
may be trouble:
* There is a source package called eclib, which generates the binary
packages eclib-tools, libec-dev and libec3
- this may be trouble as one of the shared object files from your
package is called `libec.so`
* There is a source package called ecere-sdk which creates a
binary package called libecc0
- Not really a problem for your package on a technical perspective
but may end up being confusing for users
Another question I'd like to raise here: Do we need this library in
Debian (it doesn't seem to have any unique features)? Is there software
you want to package that needs to link against your libecc? I just also
looked at the project's README.md file [2] which states:
Though some efforts have been made to have (most of) the core
algorithms constant time, turning libecc into a library shielded
against side channel attacks is still a work in progress.
I think this means that the library is not yet ready for production use.
I'm stopping my review here, since at this point I don't think we
should package libecc in Debian (yet). If you think otherwise,
convince me and I'll continue reviewing & working on the package
together with you :) .
Regards
Lukas
> This library produces (no configure, just a Makefile) both static and
> dynamic binaries with .so files.
> I have already uploaded the debian/master and the upstream/latest
> branchs on alioth.
> This is my first library and I'm a bit lost with different
> architectures and how to handle it with wilcards or dh-exec and
> DEB_HOST_MULTIARCH etc...
> I've tried many things, but it does not work installing files in
> /usr/lib/*/*so for exemple, I'm probably doing it wrong, so if you
> have some courage to help me again,
> I'd glad to update my package following your advices before I go
> further.
[1] https://bugs.debian.org/872255
[2] https://github.com/ANSSI-FR/libecc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170827/228c322f/attachment.sig>
More information about the Pkg-security-team
mailing list