pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 2046154] Re: [MIR] libcryptx-perl (libmail-dkim-perl dependency)

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: Mark Esler <2046154@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2024 20:53:11 -0000
Reply-to: Bug 2046154 <2046154@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

I spoke to @tobhe for a crypto review.

Unfortunately Crypt::Perl::Ed25519 is not base on crypto RFCs. It is a
port from Javascript and the math appears dubious [0].

Static analyzer results on libcryptx-perl are not happy, but fixable--
especially after reducing the codebase. If libtomcrypt were updated to
upstream's most recent commit instead of version, it *might* be a
cleaner implementation for minimization.

Ideally we could use crypto software we already maintain, like OpenSSL.
Please consider creating and maintaining a wrapper for
`Crypt::OpenSSL::Ed25519` as a fourth option. The wrapper would be for
[1].

The maintainers of libmail-dkim-perl might switch over if we do this :)

[0] https://metacpan.org/release/FELIPE/Crypt-Perl-0.38/source/lib/Crypt/Perl/Ed25519/Math.pm
[1] https://www.openssl.org/docs/man3.0/man7/Ed25519.html

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libcryptx-perl in Ubuntu.
https://bugs.launchpad.net/bugs/2046154

Title:
  [MIR] libcryptx-perl (libmail-dkim-perl dependency)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcryptx-perl/+bug/2046154/+subscriptions

References

[Bug 2046154] [NEW] [MIR] libcryptx-perl (libmail-dkim-perl dependency)
From: Miriam España Acebal, 2023-12-11