On Wed, Jul 23, 2025 at 7:42 PM Michael Stone <mst...@debian.org> wrote: > > On Wed, Jul 23, 2025 at 06:40:39PM -0500, Aaron Rainbolt wrote: > >Who says we can't build anything against it though? > > Anyone using common sense, IMO.
That isn't an argument. > >Big, security-sensitive packages can't use it, but other programs might > >end up needing it in the future for non-security-sensitive things. > > A non-security-sensitive application that needs PQC vs existing > widely available encryption algorithms? Do you have any plausible > example of this? "Might maybe needs this someday" isn't very compelling. One easy plausible example would be a benchmarking application that tested quantum-resistant algorithms as part of the tests it ran (say Phoronix Test Suite, not that it does that now but it could some day). A communication application with experimental PQC support would be another example, and indeed if liboqs is intended to ever mature to something usable in a security-sensitive use case, it would make sense for people wanting to add PQC support to use liboqs now and then upgrade their PQC support to "not experimental" once the library was declared ready for security-sensitive use. > >Plus, "the source is more useful and easily obtained elsewhere" doesn't > >work when dependencies in a stable release of Debian may not be new > >enough to build the latest version of things. `sudo apt install > >liboqs-dev` is orders of magnitude easier than `git clone ...; # figure > >out the right version to check out, possibly by trial and error; # > >figure out the actually needed build dependencies, may need trial and > >error here too; configure; make`. > > Do you have actual examples of applications which need to use an > obsolete version of this (let's be honest, security sensitive) library > which is declared to be unstable? And the concern is that the library > will evolve to not build on stable debian, but the application will not? > This smells a lot more like rationalizing than addressing practical > concerns. This library in particular? No, but I've run into this situation with other software in the past, even in distros less stable than Debian. I don't really see how the concerns you're expressing are practical, they seem to be "I don't understand why anyone would use this". The only practical concerns I can see are archive size (haven't heard any concerns that the archive is getting to big so far) or maintainership burden (there's someone interested in maintaining it for now and the project doesn't look massive), and both of those concerns apply to every package in the archive. There are people actively interested in both packaging and using liboqs in this thread, if I'm understanding correctly, so "why would anyone use this" doesn't make sense as an argument to me.
