Re: Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms
- To: Aaron Rainbolt <arraybolt3@gmail.com>
- Cc: Simon Josefsson <simon@josefsson.org>,	Andreas Metzler <ametzler@bebt.de>, Hector Oron <zumbi@debian.org>,	1109697@bugs.debian.org, debian-devel@lists.debian.org
- Subject: Re: Bug#1109697: ITP: liboqs -- library for quantum-safe cryptographic algorithms
- From: Michael Stone <mstone@debian.org>
- Date: Wed, 23 Jul 2025 20:42:44 -0400
- Message-id: <[🔎] fb6b0640-6825-11f0-9b6a-00163eeb5320@msgid.mathom.us>
- Mail-followup-to: Aaron Rainbolt <arraybolt3@gmail.com>,	Simon Josefsson <simon@josefsson.org>,	Andreas Metzler <ametzler@bebt.de>, Hector Oron <zumbi@debian.org>,	1109697@bugs.debian.org, debian-devel@lists.debian.org
- In-reply-to: <[🔎] CAFfBHfZTebwSCqqXcYN-JOXaK59hKi4ygqdXEFeyn_c08A7e4A@mail.gmail.com>
- References: <175317005710.285540.9032886583602139493.reportbug__31007.4949682289$1753170215$gmane$org@shifu.oron.es> <[🔎] aIBn0XltycXud4Fv@argenau.bebt.de> <[🔎] CAODfWeGswZRHeF+Y74D1idwYrPyuUrDnFCcyeDx6PE4ONEzFYg@mail.gmail.com> <[🔎] 175317005710.285540.9032886583602139493.reportbug@shifu.oron.es> <aIEOGdEpIOBRfFRZ__45044.1950278886$1753288410$gmane$org@argenau.bebt.de> <[🔎] 87zfcubmkp.fsf@josefsson.org> <[🔎] CAFfBHfbmEGtUUPK2zVbdY-vn8pJVJHb7jmqSKRjiB6F4_ow_5A@mail.gmail.com> <[🔎] 9946e49e-681a-11f0-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] CAFfBHfZTebwSCqqXcYN-JOXaK59hKi4ygqdXEFeyn_c08A7e4A@mail.gmail.com>
On Wed, Jul 23, 2025 at 06:40:39PM -0500, Aaron Rainbolt wrote:
Who says we can't build anything against it though?
Anyone using common sense, IMO.
Big, security-sensitive packages can't use it, but other programs might 
end up needing it in the future for non-security-sensitive things.
A non-security-sensitive application that needs PQC vs existing 
widely available encryption algorithms? Do you have any plausible 
example of this? "Might maybe needs this someday" isn't very compelling.
Plus, "the source is more useful and easily obtained elsewhere" doesn't 
work when dependencies in a stable release of Debian may not be new 
enough to build the latest version of things. `sudo apt install 
liboqs-dev` is orders of magnitude easier than `git clone ...; # figure 
out the right version to check out, possibly by trial and error; # 
figure out the actually needed build dependencies, may need trial and 
error here too; configure; make`.
Do you have actual examples of applications which need to use an 
obsolete version of this (let's be honest, security sensitive) library 
which is declared to be unstable? And the concern is that the library 
will evolve to not build on stable debian, but the application will not? 
This smells a lot more like rationalizing than addressing practical 
concerns.
Reply to: