Dear Cardano community,
dear developers of Input Output HK,
To run the cardano-node and the cardano-cli it is neccessary to dynamically link a library for cryptographic operations with the name libsodium. In the documentation is written, that the pool operators have to use libsodium from the source GitHub - input-output-hk/libsodium: A modern, portable, easy to use crypto library. with revision 66f017f1. This revision uses the latest version of the branch tdammers/rebased-vrf in the git repository. If you compile it you get follwing warnings:
*** This is unstable, untested, development code.
It might not compile. It might not work as expected.
It might be totally insecure.
Do not use this except if you are planning to contribute code.
Use releases available at Index of /libsodium/releases/ instead.
Alternatively, use the “stable” branch in the git repository.
At this point I’m a little bit confused and have following questions:
Why we are using in general an unofficial version of libsodium? Cryptographic operations are very important and are security related and should be maintained from the community.
If you implement additional functions. Why you are not creating a pull-request and integrate this functionality into the libsodium project?
If the developers of Input Output HK have to implement special functions, why it is not placed in cardano source?
Why we are using a library which is not released in the git repository and tagged with a dedicated version number? It feels not right to use a branch which might be unstable.
If you ask me Input Output HK should not fork the libsodium library. It might be better to integrate the additional functions using the pull mechanism into the official project and release it with all the required tests. If that’s not possible than they should integrate it into the source code of cardano.
No one has an answer for or an opinion about this important issue? I mean Charles Hoskinson says, that in Cardano a peer review is mandatory and the code standard is so high and everything is transparent and robust. But if you ask me forking and then releasing a library from a development branch is everything else than professional. Is this code tested? Who released it? Who is maintaining it and how? And we are talking not from a library which is doing logging. We are talking about a library which provides the key functions of the project the cryptographic operations.
How should you convince investors to participate on Cardano if that what your are saying is different than what you are doing. From my point of view as a software architect this is a no-go.
What do you think about my view? Please comment and like my post to get this issue weighted.
I didn’t respond as it’s an open forked repo maintained by IOHK and I trust their ability - along with the abilities of the sophisticated operator community, to adequately test
It thought I saw it will be integrated into the code at some point but time to market matters
Thank you for your contribution. I respect your opinion. But how hard could it be to release this version in the forked and manged repository of IOHK and tag it with a dedicated version number (solution number 4 in my initial post)? It takes two second with a git command. I mean we are talking about the mainnet release of Shelley not a testnet or a preview release.
Time to market is not an excuse if you ask me. And if time to market is more important than following the release processes then there is something fundamental wrong. Especially if you keep Charles Hoskinson words in mind how professional the work is.
I share your concern because we’re still using that specific commit of the forked version as of now - per the official documentation. After searching a bit more about this, it looks like using this forked version is intentional. There was a conversation talking about merging this VRF feature support to upstream. However, it’s not happening because VRF specification is still a draft version.
References:
But definitely, I’d keep monitoring closely this because it will introduce complexity in the future.
This is mostly a documentation issue, is it? I could not find a trace of VRF functions used anywhere in cardano-node, and in fact the original library version is used in CI workflows. Let’s hope the cardano team can clarify this.
Last but not least. Governance: if a crypto currency project uses someone else’s open source crypto library it would be really nice to sponsor this crypto library and get some nice exposure of ADA in the developer community.