Build/package questions

[Adriano dos Santos Fernandes]

Hi!

Why did we include the arc4 code inside fbclient but chacha is a
loadable plugin?

Is it to avoid dependency on dynamic tomcrypt library?

Why did we dynamically link tommath/tomcrypt instead of statically link?


Adriano

[Mark Rotteveel]

At a guess, so the OS version can be used?

Mark
--
Mark Rotteveel

[Alex Peshkoff]

On 11/10/25 03:05, Adriano dos Santos Fernandes wrote:
> Hi!
>
> Why did we include the arc4 code inside fbclient but chacha is a
> loadable plugin?

When FB3 was 'under construction' one of the strong requirements was to
have single-file client. Some why that requirement became much less
actual with time - may be because people more and more prefer to use
installers for client too (not server only), instead copying files with
Norton :)

>
> Is it to avoid dependency on dynamic tomcrypt library?

Yes, arc4 is trivial but chacha is more complex, and was implemented
using standard library. Always add such dependency appeared bad.

There is one more detail with client traffic encryption - arc4 gets
unreliable when same key is used many times in many sessions. That's not
our case - for each session we use new key, and at least one generated
by SRP has high crypto quality. I.e. chacha is not required for most of
users, was added just to make some companies happy.

>
> Why did we dynamically link tommath/tomcrypt instead of statically link?

First of all - not to depend upon bugs in libraries, in a case of severe
security bug in them we do not need to care about our binaries. People
may install system one. There is an ABI issue with tomcrypt not always
making such replacement possible, but most of linux distros have
compatible one.

And certainly to let people use plugins & libraries they really need.
Imagine gssauth is ported from hqbird (sure will happen sometimes) -
should we add kerberos to our tree and link it with fbclient statically?