On Wed, Jul 23, 2025 at 06:40:39PM -0500, Aaron Rainbolt wrote:
Who says we can't build anything against it though?
Anyone using common sense, IMO.
Big, security-sensitive packages can't use it, but other programs might end up needing it in the future for non-security-sensitive things.
A non-security-sensitive application that needs PQC vs existing widely available encryption algorithms? Do you have any plausible example of this? "Might maybe needs this someday" isn't very compelling.
Plus, "the source is more useful and easily obtained elsewhere" doesn't work when dependencies in a stable release of Debian may not be new enough to build the latest version of things. `sudo apt install liboqs-dev` is orders of magnitude easier than `git clone ...; # figure out the right version to check out, possibly by trial and error; # figure out the actually needed build dependencies, may need trial and error here too; configure; make`.
Do you have actual examples of applications which need to use an obsolete version of this (let's be honest, security sensitive) library which is declared to be unstable? And the concern is that the library will evolve to not build on stable debian, but the application will not? This smells a lot more like rationalizing than addressing practical concerns.
