libecc

[Lukas Schwaighofer]

Hi Stéphane,

thanks for relaying the dev's reply.

> Moreover, it should be noted that even the most popular libraries
> still suffer from attacks of this type: (...)

While that's certainly true, I think the relevant question is, whether
libecc and its devs/community can provide a sufficient level of:
* protection against known (side channel) attacks
* support in fixing any discovered vulnerabilities

I'm aware that this is much harder to achieve for a new project
compared to widely used and long established projects.  With the devs
confirming that they have not (extensively) tested the constant time of
the (compiled) algorithms, I'd prefer to give the libecc project a bit
more time before packaging it for Debian.

However, since you seem to want to go ahead and upstream was quite
responsive, I'll work with you on it provided that one of the DDs here
is willing to upload it eventually.


DDs: What do you think regarding packaging that library?  Would you
     sponsor libecc (once packaging has reached sufficient quality)?


In the meantime, you should fix the owner of the ITP bug as I remarked
in my previous mail.  And I'm still curious: Is there a specific need
for that library? Is there something you want to package that uses it?

Regards
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170830/b79b1828/attachment.sig>