On Wed, Jul 23, 2025 at 6:15 PM Michael Stone <mst...@debian.org> wrote: > > On Wed, Jul 23, 2025 at 05:57:11PM -0500, Aaron Rainbolt wrote: > >To me it sounds like perhaps it should be listed as explicitly > >unsupported from a security perspective? > > To me it sounds like it shouldn't be in debian. We can't really build > anything against it, so it's basically a curiosity/learning tool...and > for that purpose the source is more useful and easily obtained > elsewhere.
Who says we can't build anything against it though? Big, security-sensitive packages can't use it, but other programs might end up needing it in the future for non-security-sensitive things. Plus, "the source is more useful and easily obtained elsewhere" doesn't work when dependencies in a stable release of Debian may not be new enough to build the latest version of things. `sudo apt install liboqs-dev` is orders of magnitude easier than `git clone ...; # figure out the right version to check out, possibly by trial and error; # figure out the actually needed build dependencies, may need trial and error here too; configure; make`.
