remove elliptic.P224 usage #1548
Conversation
|
There were the following issues with your Pull Request
Guidelines are available to help. Your feedback on GitCop is welcome on this issue This message was auto-generated by https://gitcop.com |
Fedora/RedHat distros comply with US patent law and remove this curve, which makes it impossible to run ipfs with distro provided Golang. License: MIT Signed-off-by: Pavol Rusnak <stick@gk2.sk>
|
@prusnak I've filed a bug against the fedora maintainers for this in the past. Could you provide a bit more elaboration around 'complies with US patent law' ? If its illegal in some way to have that curve, then I would think that the Go team would remove it themselves. |
|
It is not illegal. Red Hat is just cautious not to break any patent by shipping some patented code. Go maintainers have nothing to lose because they are not a company with assets. Anyway, the discussion is irrelevant. The fact is go-ipfs does not work out of the box on RH-distros powered machines, which are quite common. If P-224 can be safely removed using the suggested code I would suggest to do it. |
|
I'm really curious what patents redhat is worried about, djb went through all relevant stuff and as far as he can tell, nothing applies to that curve: http://cr.yp.to/nistp224/patents.html I'll merge the PR once i get a second 👍 from @jbenet, but I think its silly that we have to worry about this. |
|
@prusnak thanks for bringing this up, and the PR. I'm 👎 on this in general. I'm with djb, the go team, and @whyrusleeping on that p224 is safe to include in software. I'm also 👎 in that PRs like this is essentially saying "group X believes non-certain belief Y, so please change your code + beliefs to fit ours". I think that in cases like these redhat should patch go-ipfs the same way it patches go itself. All that said, I do not think many people (if any) are using P224 mainly (it is not the default), and there are multiple other exchanges by default. Since it is not an option (it requires a recompile atm) to change the ciphers, i suspect nobody is using it exclusively. And we will be using a different cipher eventually anyway. So it would be in general easier for everyone if we remove it, and it seems ok to do so. If anyone complains, we may add it back. In that case, you can PR to introduce a build flag to disable it for your use case. (attention future requesters of similar removals: features can only go away if they do not impact users). |
Fedora/RedHat distros comply with US patent law and remove this curve,
which makes it impossible to run ipfs with distro provided Golang.
I hope the change is OK, but I have not tested it.
I sent more or less the same issue to Ethereum project and it was accepted here: ethereum/go-ethereum@3f07afb