[Owasp-board] [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 23:19:13 UTC 2015


@owaspjocur <https://github.com/owaspjocur> The code still exists in the
history of the repository if anybody wants to fix it.

I created another pull request which makes this more explicit: #111
<https://github.com/OWASP/phpsec/pull/111>

My personal opinion is that this code isn't fixable. It would need to be
completely rewritten. Even if you disagree, at the moment there is nobody
who wants to work on it.

I would also recommend in future that you let people work on projects in
their own personal namespace and only transferred them into the OWASP
namespace once they have been thoroughly reviewed. If anyone picks up this
project again there should be no risk of it left half complete with the
OWASP name on it.

I would say that this issue has now been resolved, thank you to @SvenRtbg
<https://github.com/SvenRtbg> and some of the guys on twitter for their
co-operation.

Hi Andrew

I'm just a volunteer but I always keep an eye on what happens with projects
in general.
OWASP is mostly run by volunteers efforts and we have taken note of your
comments.

In fact , this motivated me to propose higher requirements to allow
security library projects at OWASP and I also we hope to start running a
bounty program to QA security libraries and set higher requirements for new
security libraries.

http://lists.owasp.org/pipermail/owasp-leaders/2015-November/015553.html

Regards

Johanna

On Wed, Nov 25, 2015 at 6:48 PM, Andrew Carter <notifications at github.com>
wrote:

> @owaspjocur <https://github.com/owaspjocur> The code still exists in the
> history of the repository if anybody wants to fix it.
>
> I created another pull request which makes this more explicit: #111
> <https://github.com/OWASP/phpsec/pull/111>
>
> My personal opinion is that this code isn't fixable. It would need to be
> completely rewritten. Even if you disagree, at the moment there is nobody
> who wants to work on it.
>
> I would also recommend in future that you let people work on projects in
> their own personal namespace and only transferred them into the OWASP
> namespace once they have been thoroughly reviewed. If anyone picks up this
> project again there should be no risk of it left half complete with the
> OWASP name on it.
>
> I would say that this issue has now been resolved, thank you to @SvenRtbg
> <https://github.com/SvenRtbg> and some of the guys on twitter for their
> co-operation.
>
>> Reply to this email directly or view it on GitHub
> <https://github.com/OWASP/phpsec/issues/108#issuecomment-159748895>.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/fbb5652b/attachment-0001.html>


More information about the Owasp-board mailing list