I propose we establish some standards for libraries we will incorporate in crypto-lib (or Ursa or whatever we will soon call it :)  )

As a motivating example there’s a PR to add a blake2 library. I’ve not independently verified the performance claims but it looks like it is quite fast. In the risk department, though, the source repo indicates a single contributor and only 2-3 months of history. The latter raises risks that the code is not hardened and the former is a risk that it won’t be maintained.

The different tiers we establish complicate having a single list of criteria. Without being too rigid we could probably make a matrix of what degree applies to which tier. Here’s a starter list of criteria:

• Maturity (how long has this code existed)
• Maintainer count (how likely is the code to be maintained and issues responded to)
• Community size (are there active mail lists and users that indicate it’s in active use)
• Bug reporting (is there a way to submit security bugs)
• What is the maintenance history (regular updates, patches, responsiveness for CVEs)?
• Known issues (due diligence that the code is sound)
• Are there protected releases (can we depend on signed libraries)

Taking `maturity` as a simple example we could set the levels for the 3 tiers as

Standard:            1 year

Semi-Trusted:   3 months

Research:            NA

Interested in feedback on this approach.

Regards,

Dan