How to package crypto plugins?

[markus2330]

In 06fcf31 (Debian branch) I have split up the Debian packages so that the core packages (libelektra4 and elektra-bin) can be installed without deps.

The resulting crypto package, however, now has quite many deps:

Depends: libelektra4 (= 0.8.23-1.1051), libbotan-1.10-1 (>= 1.10.12), libc6 (>= 2.14), libgcc1 (>= 1:3.0), libgcrypt20 (>= 1.7.0), libssl1.1 (>= 1.1.0), libstdc++6 (>= 5.2)

Is it okay that way, should we make 3 packages or is maybe some crypto provider less useful (and we do not add them to our packages)?

[petermax2]

or is maybe some crypto provider less useful (and we do not add them to our packages)?

Performance-wise crypto_gcrypt is the fastest of the three plugin variants.

From a user perspective: do I want to chose OpenSSL over LibGcrypt for some reason? Or do I prefer Botan? I honestly don't know. But maybe there are or there will be some objections that make one of the crypto libraries more preferable?

Is it okay that way, should we make 3 packages

Having three packages should work just fine. But then we should make a recommendation which one to chose per default or in case of doubt. That raises the question again: why do we provide three packages, that do the same thing with a different set of libraries, in the first place?

@markus2330 Maybe you could collect some feedback during an Elektra meeting? What do other developers say? Do they want to decide what crypto library they use? Do they care? What is important when chosing such a library? Is performance even relevant, given the assumption that only a small portion of the data is being encrypted anyway?

[markus2330]

I think you are the best to answer these questions. We barely know the differences between these three libs. But of course you are welcome to do some feedback round when you have time to visit us 😉 To get more metrics, we could compare popularity (e.g. https://popcon.debian.org) and installation size.

Packaging all 3 libs is okay from my side. (It is not too much effort.) But we should give a recommendation (default).

[petermax2]

We barely know the differences between these three libs.

I only know the differences in how to use the libraries. And I gathered the performance data during my Bachelors thesis. Other than that, I do not know how good the libs work internally. This should not affect the decision which lib we recommend.

Also I have no experience in cryptology. But since they are all maintained and widely used, they can all be recommended to some extent. Although the wide use did not prevent Heartbleed and similar bugs.

I did a quick apt-cache rdepends on the libs and came to the following results:

1. around 10 packages depend on libbotan,
2. around 240 packages depend on libgcrypt, and
3. over 900 pacakges depend on OpenSSL.

By sheer popularity we should go for OpenSSL. By performance, we should go for libgcrypt. And I think we can drop the Botan package (both performance- and popularity wise).

EDIT: corrected Heartbleed

[markus2330]

Thank you for the analysis!

Anybody interested in implementing the splitup of libelektra4-gcrypt libelektra4-openssl and the removal of botan in the Debian package?