libsodium mess

Eric S. Raymond esr at thyrsus.com
Thu Jan 19 18:32:20 UTC 2017 

Hal Murray <hmurray at megapathdsl.net>:
> Eric: Please please please send a message to devel when you make a change 
> like this.

Sorry, I occasionally forget that you don't watch #ntpsec.

In case you haven't looked at the commit log - and for those of you on
devel who missed this - there's good reason I yanked libsodium out of the
tree.  I worried about a scenario where a CVE is issued against it, an update
ships - and NTPsec users don't get the benefit and have no idea they're
still vulnerable.

In general it's a really bad idea to carry *anything* security-related in-tree
if we have the option not to, for that exact reason.  Yes, the process could
fail - say, minor distributions could fail to update libsodium as rapidly as
they should. But in the absence of perfect countermeasures, I choose the one
with the least risk of making *NTPsec* look like incompetents...

> waf errors out when it can't find sodium.h even if you haven't configured 
> with --enable-crypto

That is correct behavior.  The code uses ntp_random() - which calls libsodium -
to fuzz the low-order bits of the clock.

> NetBSD puts sodium.h in /usr/pkg/include/
> FreeBSD puts it in /usr/local/include/
> (In case it isn't obvious, waf doesn't look there.)

I added includes=ctx.env.PLATFORM_INCLUDES as an argument to the header check.
In theory that ought to fix this.

> Fedora needs libsodium-devel to build

Updated, thanks.

> INSTALL says:
>      Debian: libsodium
> 
> apt-get install on my debian box says:
>   E: Unable to locate package libsodium

Running Wheezy, I take it?

> INSTALL says:
>    CentOS: libsodium in the epel ("Extra Packages for Enterprise Linux") repo.
>    Ubuntu 14.04 LTS: and older: https://gist.github.com/jonathanpmartins/2510f
> 38abee1e65c6d92
> 
> I think we need a few more words and/or a URL with details.  With that hint, 
> I can probably figure it out if google cooperates.

I've already updated INSTALL once since the version you quoted, adding some
details.  I think the thing I might try next is turning the instructions on
how to load prerequisites into a script that does the job. 
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

More information about the devel mailing list