New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to package crypto plugins? #2089
Comments
Performance-wise From a user perspective: do I want to chose OpenSSL over LibGcrypt for some reason? Or do I prefer Botan? I honestly don't know. But maybe there are or there will be some objections that make one of the crypto libraries more preferable?
Having three packages should work just fine. But then we should make a recommendation which one to chose per default or in case of doubt. That raises the question again: why do we provide three packages, that do the same thing with a different set of libraries, in the first place? @markus2330 Maybe you could collect some feedback during an Elektra meeting? What do other developers say? Do they want to decide what crypto library they use? Do they care? What is important when chosing such a library? Is performance even relevant, given the assumption that only a small portion of the data is being encrypted anyway? |
I think you are the best to answer these questions. We barely know the differences between these three libs. But of course you are welcome to do some feedback round when you have time to visit us 😉 To get more metrics, we could compare popularity (e.g. https://popcon.debian.org) and installation size. Packaging all 3 libs is okay from my side. (It is not too much effort.) But we should give a recommendation (default). |
I only know the differences in how to use the libraries. And I gathered the performance data during my Bachelors thesis. Other than that, I do not know how good the libs work internally. This should not affect the decision which lib we recommend. Also I have no experience in cryptology. But since they are all maintained and widely used, they can all be recommended to some extent. Although the wide use did not prevent Heartbleed and similar bugs. I did a quick
By sheer popularity we should go for OpenSSL. By performance, we should go for libgcrypt. And I think we can drop the Botan package (both performance- and popularity wise). EDIT: corrected Heartbleed |
Thank you for the analysis! Anybody interested in implementing the splitup of libelektra4-gcrypt libelektra4-openssl and the removal of botan in the Debian package? |
In 06fcf31 (Debian branch) I have split up the Debian packages so that the core packages (libelektra4 and elektra-bin) can be installed without deps.
The resulting crypto package, however, now has quite many deps:
Depends: libelektra4 (= 0.8.23-1.1051), libbotan-1.10-1 (>= 1.10.12), libc6 (>= 2.14), libgcc1 (>= 1:3.0), libgcrypt20 (>= 1.7.0), libssl1.1 (>= 1.1.0), libstdc++6 (>= 5.2)
Is it okay that way, should we make 3 packages or is maybe some crypto provider less useful (and we do not add them to our packages)?
The text was updated successfully, but these errors were encountered: