Why is not the origin libsodium library used when running a cardano-node?

Dear Cardano community,
dear developers of Input Output HK,

To run the cardano-node and the cardano-cli it is neccessary to dynamically link a library for cryptographic operations with the name libsodium. In the documentation is written, that the pool operators have to use libsodium from the source https://github.com/input-output-hk/libsodium with revision 66f017f1. This revision uses the latest version of the branch tdammers/rebased-vrf in the git repository. If you compile it you get follwing warnings:

*** This is unstable, untested, development code.
It might not compile. It might not work as expected.
It might be totally insecure.
Do not use this except if you are planning to contribute code.
Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
Alternatively, use the “stable” branch in the git repository.

At this point I’m a little bit confused and have following questions:

  1. Why we are using in general an unofficial version of libsodium? Cryptographic operations are very important and are security related and should be maintained from the community.

  2. If you implement additional functions. Why you are not creating a pull-request and integrate this functionality into the libsodium project?

  3. If the developers of Input Output HK have to implement special functions, why it is not placed in cardano source?

  4. Why we are using a library which is not released in the git repository and tagged with a dedicated version number? It feels not right to use a branch which might be unstable.

If you ask me Input Output HK should not fork the libsodium library. It might be better to integrate the additional functions using the pull mechanism into the official project and release it with all the required tests. If that’s not possible than they should integrate it into the source code of cardano.


A Pool Operator

1 Like

Dear community,
dear IOHK,

No one has an answer for or an opinion about this important issue? I mean Charles Hoskinson says, that in Cardano a peer review is mandatory and the code standard is so high and everything is transparent and robust. But if you ask me forking and then releasing a library from a development branch is everything else than professional. Is this code tested? Who released it? Who is maintaining it and how? And we are talking not from a library which is doing logging. We are talking about a library which provides the key functions of the project the cryptographic operations.

How should you convince investors to participate on Cardano if that what your are saying is different than what you are doing. From my point of view as a software architect this is a no-go.

What do you think about my view? Please comment and like my post to get this issue weighted.



I didn’t respond as it’s an open forked repo maintained by IOHK and I trust their ability - along with the abilities of the sophisticated operator community, to adequately test

It thought I saw it will be integrated into the code at some point but time to market matters

Dear ADAfrog,

Thank you for your contribution. I respect your opinion. But how hard could it be to release this version in the forked and manged repository of IOHK and tag it with a dedicated version number (solution number 4 in my initial post)? It takes two second with a git command. I mean we are talking about the mainnet release of Shelley not a testnet or a preview release.

Time to market is not an excuse if you ask me. And if time to market is more important than following the release processes then there is something fundamental wrong. Especially if you keep Charles Hoskinson words in mind how professional the work is.