On Wed, Jul 23, 2025 at 5:20 PM Simon Josefsson <si...@josefsson.org> wrote: > > Andreas Metzler <ametz...@bebt.de> writes: > > >> The documented reason for removal from unstable was a FTBFS > >> https://bugs.debian.org/1100144 > > [...] > > > > Hello, > > Yes. liboqs ended up being unmaintained, lagging multiple upstream > > versions behind. I pondered adopting/rescueing it but refrained from > > doing so when I got the impression this might probably never be a > > candidate for Debian stable, i.e. it should always have lived in > > experimental instead of sid. > > Is it forbidden for packages to exist in unstable and/or experimental > only in Debian? > > While liboqs is not intended for normal production use because of > certain properties, it is useful for its designated purposes of > experiments and testing. I think we somehow conflate these two, > thinking that everything in a Debian stable release MUST be intended for > secure production use. I think it is fine to ship things with known > serious issues for certain use-cases, but perfectly good properties for > other use-cases, as long as the limitations and use-cases are clearly > documented. So to me having liboqs in a Debian stable release seems > acceptable.
To me it sounds like perhaps it should be listed as explicitly unsupported from a security perspective? (How that works, I haven't looked into yet, but I know check-support-status from debian-security-support can find info about what is and isn't supported somehow, so I'm sure it can be done.) > It seems good that GnuTLS stopped using liboqs though, because GnuTLS > _is_ intended for secure online usage whereas liboqs is not. > > /Simon
