Update libsodium installation instructions #5181
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Closed
disassembler
approved these changes
May 3, 2023
CarlosLopezDeLara
approved these changes
May 3, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The libsodium library has certain supported and documented ways to build and use the library. In particular it involves building the whole library using libsodium's own build system. Turning on the external-libsodium-vrf flag (and thus using the bundled C code instead) does neither of these things: it only builds little bits of libsodium and does not use the libsodium build system. So from the perspective of the libsodium developers it is not a supported configuration. For that reason it's not something we can currently recommend to use in production.
In summary, it's not known to be wrong, rather it's not known to be ok, and since this is critical to security, as a cautionary measure we don't recommend its usage in production. We will look more carefully into the security implications for using this flag, but in the meantime we do not advise its usage.