XPost: linux.debian.devel

Package: wnpp
Severity: wishlist
Owner: Hector Oron Martinez <[email protected]>
X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected], [email protected]

* Package name : liboqs
Version : 0.14.0
Upstream Contact: https://github.com/open-quantum-safe/liboqs/issues
* URL : https://openquantumsafe.org/
* License : Apache-2.0, BSD-3-Clause, CC0, Expat, GPL-3, public-domain
Programming Lang: C, Assembler
Description : library for quantum-safe cryptographic algorithms

liboqs is an open source C library for quantum-safe cryptographic algorithms. It provides a collection of open source implementations of quantum-safe key encapsulation mechanism (KEM) and digital signature algorithms; a common API for these algorithms; a test harness and benchmarking routines.
.
liboqs is part of the Open Quantum Safe (OQS) project, which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts. In particular, OQS provides prototype integrations of liboqs into TLS and SSH, through OpenSSL and
OpenSSH.


I would like to provide Quantum Safe algorithms for Debian usage and
form a team of people that works enabling this in the project.

This package is the first step, from my point of view, to get this
enabled in the distribution.

Thanks for watching!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

El mar, 22 jul 2025 a las 11:00, Simon Josefsson
(<[email protected]>) escribió:

It is already in Debian:
https://tracker.debian.org/pkg/liboqs

This was removed from unstable, see https://bugs.debian.org/1100144

I have an update here that could be reviewed and uploaded, I have talked to Adrian and Andrius about this - maybe with all of us helping we can finish it?
https://salsa.debian.org/debian/liboqs

Yes, that is great. I suggest we create a team and work on enabling
this feature in the distribution for the forky release.

Regards

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

--Apple-Mail-43DAB04B-EA08-491C-8E0C-4B5D51073C60
Content-Type: text/plain;
charset=utf-8
Content-Transfer-Encoding: quoted-printable



Hi

It is already in Debian:

https://tracker.debian.org/pkg/liboqs

I have an update here that could be reviewed and uploaded, I have talked to Adrian and Andrius about this - maybe with all of us helping we can finish it?

https://salsa.debian.org/debian/liboqs

/Simon

22 juli 2025 kl. 09:42 skrev Hector Oron Martinez <[email protected]>: Package: wnpp
Severity: wishlist
Owner: Hector Oron Martinez <[email protected]>
X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected], [email protected]

* Package name : liboqs
Version : 0.14.0
Upstream Contact: https://github.com/open-quantum-safe/liboqs/issues
* URL : https://openquantumsafe.org/
* License : Apache-2.0, BSD-3-Clause, CC0, Expat, GPL-3, public-domain
Programming Lang: C, Assembler
Description : library for quantum-safe cryptographic algorithms

liboqs is an open source C library for quantum-safe cryptographic algorithms. It provides a collection of open source implementations of quantum-safe key encapsulation mechanism (KEM) and digital signature algorithms; a common API for these algorithms; a test harness and benchmarking routines.
.
liboqs is part of the Open Quantum Safe (OQS) project, which aims to develop and integrate into applications quantum-safe cryptography to facilitate deployment and testing in real world contexts. In particular, OQS provides prototype integrations of liboqs into TLS and SSH, through OpenSSL and OpenSSH.

I would like to provide Quantum Safe algorithms for Debian usage and
form a team of people that works enabling this in the project.

This package is the first step, from my point of view, to get this
enabled in the distribution.

Thanks for watching!

--Apple-Mail-43DAB04B-EA08-491C-8E0C-4B5D51073C60
Content-Type: text/html;
charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="ltr"><meta http-equiv="content-type" content="text/
html; charset=utf-8"><div dir="ltr"><meta http-equiv="content-type" content="text/html; charset=utf-8">Hi<div><br></div><div>It is already in Debian:</div><div><br></div><div><a href="https://tracker.debian.org/pkg/liboqs">https://tracker.debian.org/
pkg/liboqs</a></div><div><br></div><div>I have an update here that could be reviewed and uploaded, I have talked to Adrian and Andrius about this - maybe with all of us helping we can finish it?</div><div><br></div><div><p style="margin: 0px; font-style:
normal; font-variant-caps: normal; font-width: normal; font-size: 12px; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal; font-variant-ligatures: normal; font-variant-numeric: normal;
font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;"><a href="https://salsa.debian.org/debian/liboqs">https://salsa.debian.
org/debian/liboqs</a></p><p style="margin: 0px; font-style: normal; font-variant-caps: normal; font-width: normal; font-size: 12px; line-height: normal; font-family: Helvetica; font-size-adjust: none; font-kerning: auto; font-variant-alternates: normal;
font-variant-ligatures: normal; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-position: normal; font-variant-emoji: normal; font-feature-settings: normal; font-optical-sizing: auto; font-variation-settings: normal;"><br></p><
div dir="ltr">/Simon</div><div dir="ltr"><br><blockquote type="cite">22 juli 2025 kl. 09:42 skrev Hector Oron Martinez &lt;[email protected]&gt;:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><span>Package: wnpp</span><br><span>
Severity: wishlist</span><br><span>Owner: Hector Oron Martinez &lt;[email protected]&gt;</span><br><span>X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected], [email protected]</span><br><span></span><br><
span>* Package name &nbsp;&nbsp;&nbsp;: liboqs</span><br><span> &nbsp;Version &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: 0.14.0</span><br><span> &nbsp;Upstream Contact: https://github.com/open-quantum-safe/liboqs/issues</span><br><span>* URL &nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: https://openquantumsafe.org/</span><br><span>* License &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: Apache-2.0, BSD-3-Clause, CC0, Expat, GPL-3, public-domain</span><br><span> &nbsp;
Programming Lang: C, Assembler</span><br><span> &nbsp;Description &nbsp;&nbsp;&nbsp;&nbsp;: library for quantum-safe cryptographic algorithms</span><br><span></span><br><span>liboqs is an open source C library for quantum-safe cryptographic algorithms.</
span><br><span>It provides a collection of open source implementations of quantum-safe key</span><br><span>encapsulation mechanism (KEM) and digital signature algorithms; a common API</span><br><span>for these algorithms; a test harness and benchmarking
routines.</span><br><span>.</span><br><span>liboqs is part of the Open Quantum Safe (OQS) project, which aims to develop</span><br><span>and integrate into applications quantum-safe cryptography to facilitate</span><br><span>deployment and testing in
real world contexts. In particular, OQS provides</span><br><span>prototype integrations of liboqs into TLS and SSH, through OpenSSL and</span><br><span>OpenSSH.</span><br><span></span><br><span></span><br><span>I would like to provide Quantum Safe
algorithms for Debian usage and</span><br><span>form a team of people that works enabling this in the project.</span><br><span></span><br><span>This package is the first step, from my point of view, to get this</span><br><span>enabled in the distribution.
</span><br><span></span><br><span>Thanks for watching!</span><br></div></blockquote></div></div></div></div></body></html>
--Apple-Mail-43DAB04B-EA08-491C-8E0C-4B5D51073C60--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On 2025-07-22 Hector Oron Martinez <[email protected]> wrote:

Package: wnpp
Severity: wishlist
Owner: Hector Oron Martinez <[email protected]>
X-Debbugs-Cc: [email protected], [email protected], [email protected], [email protected], [email protected]

* Package name : liboqs
Version : 0.14.0

[...]

I would like to provide Quantum Safe algorithms for Debian usage and
form a team of people that works enabling this in the project.

This package is the first step, from my point of view, to get this
enabled in the distribution.

liboqs already once was part of Debian/sid and was removed later.

One of the major reasons was that upstream did not want to see liboqs
shipped in a stable release (See https://github.com/orgs/open-quantum-safe/discussions/1625 )

GnuTLS has (temporarily, until nettle has PQ in a released version)
switched to leancrypto from liboqs, have you looked at that?

cu Andreas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hector Oron <[email protected]> writes:

I have an update here that could be reviewed and uploaded, I have
talked to Adrian and Andrius about this - maybe with all of us
helping we can finish it?
https://salsa.debian.org/debian/liboqs

Yes, that is great. I suggest we create a team and work on enabling
this feature in the distribution for the forky release.

How about updating that to the latest release, and make (say) the
'Debian Security Tools' the maintainer, with interested people as
Uploaders?

Hector, did you package 0.14.0 or did you just plan to do so? If you
packaged 0.14.0 I could merge it into my git repo above, or something.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiAvusUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFolSvAQDfTes414bG ddMcwZ9ZVe/G9ewBbUfhRAmxFRJk3EdpPAD/fChLYJiQpS/Kqau7SYIX4TGojIRI 9IwptkRt4HAfagM=
=Tr/W
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Hello Andreas,

El mié, 23 jul 2025 a las 6:40, Andreas Metzler (<[email protected]>) escribió:

On 2025-07-22 Hector Oron Martinez <[email protected]> wrote:

I would like to provide Quantum Safe algorithms for Debian usage and
form a team of people that works enabling this in the project.

liboqs already once was part of Debian/sid and was removed later.

One of the major reasons was that upstream did not want to see liboqs
shipped in a stable release (See https://github.com/orgs/open-quantum-safe/discussions/1625 )

The documented reason for removal from unstable was a FTBFS https://bugs.debian.org/1100144

I do still think we need to provide this package to start enabling PQC
in the distribution, then consider if we want this in stable release
or not.

Many other distributions have this package available: https://repology.org/project/liboqs/versions

In anycase, thanks for the discussion hyperlink, that is very interesting.

GnuTLS has (temporarily, until nettle has PQ in a released version)
switched to leancrypto from liboqs, have you looked at that?

Maybe leancrypto is a better way forward for enabling PQ, someone
should look into this, it looks interesting.
For reference, https://repology.org/project/leancrypto/versions

Thanks for the information, very useful.

One question, is there a clear way forward to enable PQ and keep
compatible with others? Does it make sense to package everything until
the path forward is more clear?

Regards
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hello,

El mié, 23 jul 2025 a las 12:56, Simon Josefsson
(<[email protected]>) escribió:

How about updating that to the latest release, and make (say) the
'Debian Security Tools' the maintainer, with interested people as
Uploaders?

That's exactly what I wanted to do, I am not part of 'Debian Security
Tools', and I am not sure if they want to take on the PQ burden,
probably we should discuss with them if they want to take it, I won't
have objections to that. Alternatively, we could create a 'Debian PQ
task force' team to figure out how are we going to integrate this in
the distribution.

Hector, did you package 0.14.0 or did you just plan to do so? If you packaged 0.14.0 I could merge it into my git repo above, or something.

I have not yet worked on updating the package to 0.14.0, I was
planning to do that, but then I thought it might be best to discuss
how we move forward with this.

Regards,
--
Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hector Oron <[email protected]> writes:

Hello,

El mi�, 23 jul 2025 a las 12:56, Simon Josefsson
(<[email protected]>) escribi�:

How about updating that to the latest release, and make (say) the
'Debian Security Tools' the maintainer, with interested people as
Uploaders?

That's exactly what I wanted to do, I am not part of 'Debian Security
Tools', and I am not sure if they want to take on the PQ burden,
probably we should discuss with them if they want to take it, I won't
have objections to that. Alternatively, we could create a 'Debian PQ
task force' team to figure out how are we going to integrate this in
the distribution.

Hector, did you package 0.14.0 or did you just plan to do so? If you
packaged 0.14.0 I could merge it into my git repo above, or something.

I have not yet worked on updating the package to 0.14.0, I was
planning to do that, but then I thought it might be best to discuss
how we move forward with this.

Sounds good! Please join the security group, it is simple I think. Proliferation of Debian maintainer groups seems like a hassle to me, and
we are short number of interested people anyway..

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiAxowUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFoqIDAQDiC8FNLDMe k7qdr0rSH6+E+BU/XATcdi/3vzhOZ2p5IAEA/3jPZl53htQ7ymmMYeiG/B37JxlT KnLrPk3FcBKo+wI=cz3m
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On 2025-07-23 Hector Oron <[email protected]> wrote:

El mi�, 23 jul 2025 a las 6:40, Andreas Metzler (<[email protected]>) escribi�:

On 2025-07-22 Hector Oron Martinez <[email protected]> wrote:

I would like to provide Quantum Safe algorithms for Debian usage and
form a team of people that works enabling this in the project.

liboqs already once was part of Debian/sid and was removed later.

One of the major reasons was that upstream did not want to see liboqs
shipped in a stable release (See
https://github.com/orgs/open-quantum-safe/discussions/1625 )

The documented reason for removal from unstable was a FTBFS https://bugs.debian.org/1100144

[...]

Hello,
Yes. liboqs ended up being unmaintained, lagging multiple upstream
versions behind. I pondered adopting/rescueing it but refrained from
doing so when I got the impression this might probably never be a
candidate for Debian stable, i.e. it should always have lived in
experimental instead of sid.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Andreas Metzler <[email protected]> writes:

The documented reason for removal from unstable was a FTBFS
https://bugs.debian.org/1100144

[...]

Hello,
Yes. liboqs ended up being unmaintained, lagging multiple upstream
versions behind. I pondered adopting/rescueing it but refrained from
doing so when I got the impression this might probably never be a
candidate for Debian stable, i.e. it should always have lived in
experimental instead of sid.

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

While liboqs is not intended for normal production use because of
certain properties, it is useful for its designated purposes of
experiments and testing. I think we somehow conflate these two,
thinking that everything in a Debian stable release MUST be intended for
secure production use. I think it is fine to ship things with known
serious issues for certain use-cases, but perfectly good properties for
other use-cases, as long as the limitations and use-cases are clearly documented. So to me having liboqs in a Debian stable release seems acceptable.

It seems good that GnuTLS stopped using liboqs though, because GnuTLS
_is_ intended for secure online usage whereas liboqs is not.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiBWfYUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFom99AP0V9NU9fMPX CXy2mld7ufzwq6kf4wK/V+2odT4Y0lnzAQEAvUV7DWFK8XMbDqoBW5M/1Jnz3eIb Z6Qg5sUw52XUngo=
=xvuG
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On Wed, Jul 23, 2025 at 05:57:11PM -0500, Aaron Rainbolt wrote:

To me it sounds like perhaps it should be listed as explicitly
unsupported from a security perspective?

To me it sounds like it shouldn't be in debian. We can't really build
anything against it, so it's basically a curiosity/learning tool...and
for that purpose the source is more useful and easily obtained
elsewhere.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On Wed, Jul 23, 2025 at 06:40:39PM -0500, Aaron Rainbolt wrote:

Who says we can't build anything against it though?

Anyone using common sense, IMO.

Big, security-sensitive packages can't use it, but other programs might
end up needing it in the future for non-security-sensitive things.

A non-security-sensitive application that needs PQC vs existing
widely available encryption algorithms? Do you have any plausible
example of this? "Might maybe needs this someday" isn't very compelling.

Plus, "the source is more useful and easily obtained elsewhere" doesn't
work when dependencies in a stable release of Debian may not be new
enough to build the latest version of things. `sudo apt install
liboqs-dev` is orders of magnitude easier than `git clone ...; # figure
out the right version to check out, possibly by trial and error; #
figure out the actually needed build dependencies, may need trial and
error here too; configure; make`.

Do you have actual examples of applications which need to use an
obsolete version of this (let's be honest, security sensitive) library
which is declared to be unstable? And the concern is that the library
will evolve to not build on stable debian, but the application will not?
This smells a lot more like rationalizing than addressing practical
concerns.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On Wed, Jul 23, 2025 at 08:05:48PM -0500, Aaron Rainbolt wrote:

One easy plausible example would be a benchmarking application that
tested quantum-resistant algorithms as part of the tests it ran (say
Phoronix Test Suite, not that it does that now but it could some day).

A benchmarking application that doesn't exist and which happens to only
use the version in debian stable? That seems pretty unlikely, no?

A communication application with experimental PQC support would be
another example, and indeed if liboqs is intended to ever mature to
something usable in a security-sensitive use case, it would make sense
for people wanting to add PQC support to use liboqs now and then
upgrade their PQC support to "not experimental" once the library was
declared ready for security-sensitive use.

Or use a different library, right? That's a lot of "maybe in the
futures" which assume that this library will someday become essential.
If the support is experimental and it's a *communication application*,
we're not likely to ship in enabled in stable, right?

Do you have actual examples of applications which need to use an
obsolete version of this (let's be honest, security sensitive) library
which is declared to be unstable? And the concern is that the library
will evolve to not build on stable debian, but the application will not?
This smells a lot more like rationalizing than addressing practical
concerns.

This library in particular? No, but I've run into this situation with
other software in the past, even in distros less stable than Debian.

So let's worry about it when it becomes a problem. We do have
backports...

I don't really see how the concerns you're expressing are practical,
they seem to be "I don't understand why anyone would use this". The
only practical concerns I can see are archive size (haven't heard any >concerns that the archive is getting to big so far) or maintainership
burden (there's someone interested in maintaining it for now and the
project doesn't look massive), and both of those concerns apply to
every package in the archive. There are people actively interested in
both packaging and using liboqs in this thread, if I'm understanding >correctly, so "why would anyone use this" doesn't make sense as an
argument to me.

No, the concerns are about shipping a *security sensitive library* in
stable (so it needs to last for *years*) when the upstream specifically
says not to do that. So far I haven't seen *any* strong reason to make
that (IMO) really bad decision which would be biting us in 2030 or later.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On 2025-07-23 Simon Josefsson <[email protected]> wrote:

Andreas Metzler <[email protected]> writes:

The documented reason for removal from unstable was a FTBFS
https://bugs.debian.org/1100144

[...]

Hello,
Yes. liboqs ended up being unmaintained, lagging multiple upstream
versions behind. I pondered adopting/rescueing it but refrained from
doing so when I got the impression this might probably never be a
candidate for Debian stable, i.e. it should always have lived in
experimental instead of sid.

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

Hello Simon,

*I* think having packages only available in experimental is perfectly
fine. unstable is ditchy because iirc it has happened that our stopgap
measure to prevent testing migration (rc-bug) failed to work. Imho that
might work for leaf-packagages but not for libraries because it adds
another possibility for making errors. ("Gosh I did not realize my
package did not migrate to testing anymore because it picked up a dep on
a non-migratable package.")

While liboqs is not intended for normal production use because of
certain properties, it is useful for its designated purposes of
experiments and testing. I think we somehow conflate these two,
thinking that everything in a Debian stable release MUST be intended for secure production use. I think it is fine to ship things with known
serious issues for certain use-cases, but perfectly good properties for
other use-cases, as long as the limitations and use-cases are clearly documented. So to me having liboqs in a Debian stable release seems acceptable.

[...]
Two things:
* Afaiui upstream would prefer we did not do that.
* I doubt that a multi-year old version of liboqs (which is what you'd
have in stable in a not too distant future) would be useful for
experiments and testing. liboqs is pretty fast moving. You would want
bleeding edge for experimenting.

cu Andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Andreas Metzler <[email protected]> writes:

Is it forbidden for packages to exist in unstable and/or experimental
only in Debian?

Hello Simon,

*I* think having packages only available in experimental is perfectly
fine. unstable is ditchy because iirc it has happened that our stopgap measure to prevent testing migration (rc-bug) failed to work. Imho that
might work for leaf-packagages but not for libraries because it adds
another possibility for making errors. ("Gosh I did not realize my
package did not migrate to testing anymore because it picked up a dep on
a non-migratable package.")

Okay. Is the experimental buildd setup the same as for unstable? I
recall that uploading to experimental built things differently that
caused it to not be similar to uploading to unstable, triggering weird
build errors. But maybe the buildd setup has evolved since then.

While liboqs is not intended for normal production use because of
certain properties, it is useful for its designated purposes of
experiments and testing. I think we somehow conflate these two,
thinking that everything in a Debian stable release MUST be intended for
secure production use. I think it is fine to ship things with known
serious issues for certain use-cases, but perfectly good properties for
other use-cases, as long as the limitations and use-cases are clearly
documented. So to me having liboqs in a Debian stable release seems
acceptable.

[...]
Two things:
* Afaiui upstream would prefer we did not do that.

That is a good reason to keep it out of stable, although we should
qualify if they understood what they were asking for. Having it in
stable to support experiment and testing seems to be in line with their
stated goals. It seems more that they don't want it to be used for
protecting sensitive data, which is a different request.

* I doubt that a multi-year old version of liboqs (which is what you'd
have in stable in a not too distant future) would be useful for
experiments and testing. liboqs is pretty fast moving. You would want
bleeding edge for experimenting.

My primary use-case for liboqs in stable is to setup interop testing
between different PQ libraries and help development of PQ libraries.
Having some OLD and stable release of liboqs widely available is what I
would prefer. I want to test that some other PQ crypto libraries are
able to interop with some old known-to-produce-correct-results liboqs.
So there is no need for this liboqs to be able to protect sensitive
data. It just have to produce something. Which seems to match what the
liboqs maintainers says it is good for.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmiDPOQUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdForDsAQDMlOd7Xt9f QIRK7PS/6BZ5TyHB2Gaz2fnxcqkv78arWAEAiYzzLzHBitshr8/9R5d71tNw8W5G senBTbNr5tyjeQ4=
=4SQV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)