build: use official Findlibsodium + add option to download and build libsodium #4562
Conversation
|
The failing CI build is a setup quirk? (As e.g. this commit on master also failed: https://github.com/zeromq/libzmq/actions/runs/4671679606/jobs/8272961115) |
aminya
changed the title
Sorry, but no, this is broken by design. We are not going to embed a security critical library. If you use it, you must get a sensible maintenance and deployment model, supported by a security team. |
|
This PR doesn't change the behaviour. Everything is opt-in determined by the user of libzmq. I can argue that the current build system has more security issues. As it is almost impossible to get libzmq to build statically with libsodium with the master's CMake. See #4484 for context. People have suggested not using libsodium altogether because of this! |
|
The wrong part is not the static linking, is downloading and embedding the sources. The built library needs to be provided by an external, managed, maintained source. |
|
so to be extra clear, if you want to improve static linking in cmake, by all means update the PR to do that, but no integration with downloading and building external sources, if people want to shoot themselves in the foot and get pwned by vendoring random versions of cryptographic primitives, they'll have to do it themselves, we will have no part in facilitating that |
|
What would be the difference in downloading libsodium yourself, make some malicious changes and link your libzmq build statically against that? Could we do something like hash checking on the download files, to be a bit more sure? The "do not compile libsodium yourself" is a bit harsh in my opinion, as like said, a capable person with bad intentions could do it either way easily. And, given the fact that libsodium itself doesn't even provide binaries for Linux, and suggests to build it from source? : https://doc.libsodium.org/installation#compilation-on-unix-like-system @aminya for zeromq.js , it could be also possible to default build without Curve (libsodium/NaCl), and when you do need it, there is a guide on how to statically link it. Anyway, if the PR is not accepted with building from source, it is a great PR anyway without it for linking statically. Such that the prebuilts for zeromq.js have an official statically linked libsodium packaged. |
The difference is that it's someone else who does that, so they will have the blame when it inevitably leads to the expected catastrophic results, without any endorsement from this library. Linux distributions exist for a reason, use them. |
|
To address the concerns, added an opt-in option for downloading via CPM. Additionally, forked libsodium-cmake into the @zeromq organization. The commit used in CPM is now hashed via Sha256 so it will not change. Also, since Libsodium merged my patch for FindLibsodium, replaced the CMake module with the upstream one. So it is identical: |
aminya
changed the title
Not good enough, please remove it completely. It is not acceptable in any way, whether it is optional or not. |
Before doing something like that, next time consult with the project please. This is not acceptable. I've deleted it now. I cannot possibly be any clearer: we are not going to maintain forks of cryptographic primitives anywhere here |
|
This raises some concerns for me. Maybe, @zeromq/core @zeromq/zeromq-js can clarify if as the maintainer of zeromq.js, I am allowed to fork a repository into the organization or not. Even if you do not want to merge this to zeromq, you may not delete the repository I created. |
You can add repositories to the organizations when it is sensible to do so, and most of the times it is, as you can see from the list of repositories that are part of it. Dumping an unmantainable fork of cryptographic primitives is NOT one of those occasions, especially as a lazy shortcut. Please do not do that. We take security seriously here. |
|
This definition of security doesn't seem to align with what others think. I just added the fork as an additional layer of security to lock up any changes because you requested the change. Otherwise, other security-conscious repositories in this organization like https://github.com/zeromq/zmq.rs/blob/7baeeffde9e4cb9741d1841cfdee5f00f354b578/Cargo.toml#L18 |
Not only I have made no such request, I have only been abundantly clear: there shall be no embedded security critical library here. There is no cryptographer, nor a security team available 24/7 on-call around here. Leave maintenance of cryptography primitives to those who understand them and have the resources to do so. |
Not addressed in many months, closing |
Updates Findlibsodium to the official module provided by libsodium itself
This adds an option for libsodium to download and build it from the source and respect the options of libzmq. I verified the built with
WITH_LIBSODIUM_STATICset to bothONandOFF.It uses
libsodium-cmakewithCPMfor the building libsodium.Fixes #4484
Closes zeromq/zeromq.js#554
Closes zeromq/zeromq.js#553
Related to zeromq/zeromq.js#529