1. 16

  2. 3

    The license for this software is unclear.

    Eschewing normal practice, there’s no LICENSE file in the source distribution.

    I’m asking this because DJB seems to have views on software licensing that are at odds with the majority of the FOSS community. I’m not sure if this is still the case though.

    1. 3

      From djb’s previous writings and software, he probably intends this to be license-free software.

      1. 7

        And I know licensing is an interesting, complex topic that’s fun to armchair lawyer, so if folks want to pick up this topic please start by linking to and building your comment on the 20+ years of previous discussion, and avoid moralizing/shaming others’ licensing choices.

        1. 2

          I wouldn’t necessarily qualify many of djb’s works as “license free”. He has explicitly put many of them into the public domain. See some of the license related notations on https://cr.yp.to/distributors.html as well.

          1. 1

            Thanks for the link, it’s certainly an interesting perspective.

        2. 1

          So constant time comparison is an old classic for authentication primitives, even humorous examples (not to mention tons of websites) like passwords on some JTAG interfaces on old consoles having a return on first mismatch making a timing based extraction of the password trivial.

          According to the webpage, this was developed for post-quantum cryptography - but what other areas are there where data-dependent sorting times would be a notable risk?

          1. 2

            I think it’s just for crypto, as elaborated on page 48 of this paper. source