formally approve Sequoia as a critical dependency #6806
Labels
needs/discussion
queued up for discussion at future team meeting. Use judiciously.
Rust
Issues that touch Rust code
Comments
14 tasks
cfm
added
the
needs/discussion
|
I'll also add that initially Sequoia primarily supported the nettle cryptographic library, which was also going to be a new dependency for us. But thanks to the RPM work, it now supports OpenSSL, which is already a trusted part of our stack. (And the oxidize branch now uses OpenSSL) |
|
Decision has basically been made, will leave this open for final discussion with last call for objections next week. |
|
No objections/concerns in today's team meeting. Full speed ahead! 🚀 |
github-project-automation
bot
moved this from Cycle Backlog
to Done
in SecureDrop dev cycle
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In considering freedomofpress/securedrop-engineering#18 and scoping #6399, there was interest in formally reviewing and approving Sequoia as a new critical dependency. Of particular concern was the fact that "Sequoia has not been audited yet, due to a lack of funding".
Since then, one of our own upstreams, The Fedora Project, has adopted Rust in its own critical tooling, namely the RPM package manager. This precedent may be enough for us to approve Sequoia for use without further project-level review of our own.
The text was updated successfully, but these errors were encountered: