Any plans to have the code audited?

[chmac]

One of the biggest factors in my choosing tweetnacl-js over other similar libraries was the fact that the code has been audited, and received a very glowing report.

Do you have any plans to have this library audited?

[martinheidegger]

The underlying implementation of libsodium is sodium-universal whichs also powers hypercore. It has been mostly chosen for platform compatibility and community reasons. I don't know if sodium-universal has been security audited.

Right now this library is still quite a bit in-flux but I imagine from a 1.0 release on we are in a position that a security audit makes sense (at least technically, not sure we have the funds for it).

[martinheidegger]

I updated the introduction of the library to explain the functionality a bit better: https://github.com/consento-org/crypto/commit/369180c7e7bf5b04f8859eb1abd6d9c76031ba64

[chmac]

@martinheidegger Gotcha. I got the "this is a syntactic sugar" concept from the docs, so I think that was clear enough, nice that you linked to the exact packages now. From my perspective, if you're shooting for adoption of the package, sharing even that you plan (funds allowing) to get the code audited at 1.0 would increase my likelihood of using it. The stated intention would signal to me that you take security really seriously.

Will close this topic now that you've shared your answer. 👍

[martinheidegger]

@chmac Thank you for that feedback. I keep in mind and will update this issue as soon as I have updates on auditing.