Linus Färnstrand

This PR is now more or less ready for final review. The things missing are: * Some entries in `gui/osv-scanner.toml` have inadequate `reason`s and have not been proven to be...

Sorry, but we don't support OpenSUSE, nor MicroOS. Our installation scripts rely on the needed resources being in place while executing. Why is MicroOS running the post installation scripts before...

Here is our own lockfile, I can start by linking that. I'll see if I can find more examples later: https://github.com/mullvad/mullvadvpn-app/blob/main/android/gradle/verification-metadata.xml

Yes. The Classic McEliece library has an alloc feature that can be turned off, and zerioze still works. It's just that the caller must provide a mutable reference to the...

Thanks for tending to this issue. Sorry for not replying in a few days. I'll try to catch up and help where I can! > from what I can see...

> there's likely a fair bit of overhead with heap allocation. I don't think it's healthy to look at heap allocations as inherently evil. Sure, they can have measurable performance...

Sorry, I don't think I understand how your example show there is a flaw with passing in mutable array references as secrets buffers. You are passing `foo` as an array...

```rust sk.as_array()[..4].try_into().unwrap() ``` This code copies the secret key to a new location in memory, but in a pretty obfuscated way. As pointed out above, as long as you give...

> and the copy itself should always be zeroized too. How can you enforce that? You will need to give library users `&[u8; ...]` access to the derived shared secret,...

> I guess they want `for (polyvec, i) in a.iter().enumerate(){` instead but that defeats the point because i is still there in the end and we have yet another variable...