Dear Cardano community,
dear developers of Input Output HK,
To run the cardano-node and the cardano-cli it is neccessary to dynamically link a library for cryptographic operations with the name libsodium. In the documentation is written, that the pool operators have to use libsodium from the source https://github.com/input-output-hk/libsodium with revision 66f017f1. This revision uses the latest version of the branch tdammers/rebased-vrf in the git repository. If you compile it you get follwing warnings:
*** This is unstable, untested, development code.
It might not compile. It might not work as expected.
It might be totally insecure.
Do not use this except if you are planning to contribute code.
Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
Alternatively, use the “stable” branch in the git repository.
At this point I’m a little bit confused and have following questions:
Why we are using in general an unofficial version of libsodium? Cryptographic operations are very important and are security related and should be maintained from the community.
If you implement additional functions. Why you are not creating a pull-request and integrate this functionality into the libsodium project?
If the developers of Input Output HK have to implement special functions, why it is not placed in cardano source?
Why we are using a library which is not released in the git repository and tagged with a dedicated version number? It feels not right to use a branch which might be unstable.
If you ask me Input Output HK should not fork the libsodium library. It might be better to integrate the additional functions using the pull mechanism into the official project and release it with all the required tests. If that’s not possible than they should integrate it into the source code of cardano.
A Pool Operator