> On 28. 1. 2023, at 21:42, Sam Hartman <hartm...@debian.org> wrote:
>
>>>>>> "Jan" == Jan Mojzis <jan.moj...@gmail.com> writes:
>
> * Package name : randombytes
> Version : 20230126
> Upstream Author : Daniel J. Bernstein
> * URL : https://randombytes.cr.yp.to/
> * License : Public domain
>
> Public domain is problematic as a license.
> At least under US copyright law, there are very few circumstances when
> something can actually be public domain.
> One example is software written by US government employees.
> But I don't think any of those circumstances apply to this library.
> So I'm not sure the license is okay.
If I understand it correctly, CC0-style public-domain declaration in
debian/copyright solves the problem.
(learned here: https://lists.debian.org/debian-mentors/2017/09/msg00171.html)
~~~
License: public-domain-CC0-1.0
Public domain.
.
Upstream library is marked as public-domain
https://randombytes.cr.yp.to/index.html.
.
Public-domain mark does not have the same meaning in all jurisdictions,
to avoid confusion, please follow CC0 1.0 Universal.
The complete text of the CC0 license, version 1.0,
can be found in /usr/share/common-licenses/CC0-1.0.
~~~
Or am I wrong?
>
> I'll also admit to being skepticle of the utility of such a library
> given the getrandom() API in libc.
The library internally uses getrandom().
The primary bonus is in portability and usability. The library (namely
randombytes-kernel) uses one of the variants
getrandom(), getentropy(), "/dev/urandom" and the user/aplication doesn't need
to care what resource is on a given operating system available.
And the user/aplication also doesn't have to worry about whether the system has
enough entropy (e.g. /dev/urandom initialized).
Randombytes() simply waits/blocks until there is enough entropy.
Jan
