libecc

Lukas Schwaighofer lukas at schwaighofer.name
Sun Aug 27 12:04:14 UTC 2017 

Hi Stéphane,

I'm adding pkg-security-team to CC since this is to be a
team-maintained package.

On Tue, 15 Aug 2017 13:49:06 +0200
Stéphane Neveu <stefneveu at gmail.com> wrote:

> I'm writing you this email because I'm working on a new package :
> libecc (a C library for elliptic curves based cryptography).

I just looked for the ITP and found it [1].  Note that the Owner is not
recorded properly because there is a line break between the team name
and the e-mail address in the Owner: pseudo header.  Please use the
control interface to update the owner of that bug.


When searching for existing packages, I found a few things that
may be trouble:
* There is a source package called eclib, which generates the binary
  packages eclib-tools, libec-dev and libec3
  - this may be trouble as one of the shared object files from your
    package is called `libec.so`
* There is a source package called ecere-sdk which creates a
  binary package called libecc0
  - Not really a problem for your package on a technical perspective
    but may end up being confusing for users


Another question I'd like to raise here: Do we need this library in
Debian (it doesn't seem to have any unique features)?  Is there software
you want to package that needs to link against your libecc?  I just also
looked at the project's README.md file [2] which states:

  Though some efforts have been made to have (most of) the core
  algorithms constant time, turning libecc into a library shielded
  against side channel attacks is still a work in progress.

I think this means that the library is not yet ready for production use.


I'm stopping my review here, since at this point I don't think we
should package libecc in Debian (yet).  If you think otherwise,
convince me and I'll continue reviewing & working on the package
together with you :) .

Regards
Lukas

> This library produces (no configure, just a Makefile) both static and
> dynamic binaries with .so files.
> I have already uploaded the debian/master and the upstream/latest
> branchs on alioth.
> This is my first library and I'm a bit lost with different
> architectures and how to handle it with wilcards or dh-exec and
> DEB_HOST_MULTIARCH etc...
> I've tried many things, but it does not work installing files in
> /usr/lib/*/*so for exemple, I'm probably doing it wrong, so if you
> have some courage to help me again,
> I'd glad to update my package following your advices before I go
> further.

[1] https://bugs.debian.org/872255
[2] https://github.com/ANSSI-FR/libecc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170827/228c322f/attachment.sig>

More information about the Pkg-security-team mailing list