[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Tony Turner tony.turner at owasp.org
Wed Dec 2 20:38:50 UTC 2015


This is still ongoing and needs another look.
https://github.com/OWASP/phpsec/issues/120#issuecomment-161396666

Need the phpsec.owasp.org page updated probably.
On Nov 26, 2015 3:17 AM, "AF" <antonio.fontes at owasp.org> wrote:

> s/GAMA/GAFA/
>
> Sorry.
> (sent with mobile, please excuse any excessive brevity or typo)
> --
> Antonio Fontes
> OWASP Switzerland, board member
> OWASP Geneva, chapter leader
> skype: antonio.fontes
>
> On November 26, 2015 8:30:17 AM GMT+01:00, AF <antonio.fontes at owasp.org>
> wrote:
>>
>> Yes, agree. I'd rather see it flagged than not see it at all.
>>
>> Cheers,
>> Antonio
>>
>>
>> PS: We all know that deleting content on user's request is nope. GAMA are
>> wonderful teachers ;)
>> (sent with mobile, please excuse any excessive brevity or typo)
>> --
>> Antonio Fontes
>> OWASP Switzerland, board member
>> OWASP Geneva, chapter leader
>> skype: antonio.fontes
>>
>> On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico <
>> jim.manico at owasp.org> wrote:
>>>
>>> The project is still live and will continue to be.
>>>
>>> https://github.com/OWASP/phpsec
>>>
>>> 1) It's been labeled clearly as abandoned, which is fair to say I think
>>> (In both GitHub and the Wiki).
>>> 2) The codebase has been deleted from the main branch
>>> 3) For anyone who wishes to revive this project, all the code is in the
>>> project history
>>>
>>> I think this is a fair balance of all concerns.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>> On 11/26/15 1:46 AM, Antonio Fontes wrote:
>>>
>>> Hi,
>>>
>>> I agree with Abbas on this point.
>>>
>>> OWASP has a responsibility to warn users when a library project is
>>> inactive, unmaintained and/or was identified as broken by experts in the
>>> domain (if it really is, disclaimer: I have only read the content posed in
>>> the leaders list).
>>>
>>> However, I don't see a valid rationale behind the decision to suppress
>>> it entirely. Users don't get to decide what gets suppressed or not from the
>>> web, especially when the content doesn't belong to them, more especially
>>> when the argument is "it's not clean", and even more especially when the
>>> request for deletion comes from "crypto-experts" (I want to see the badge
>>> first).
>>>
>>> Our mission as OWASP leaders is to lead, not to baby-sit people, who
>>> download code marked as unsafe and abandoned, and install it in their
>>> organization's systems.
>>>
>>> If we abide by this rationale, then we should suppress all previous
>>> versions of the OWASP guides that are currently available for download as
>>> archives.
>>> Most of them are incomplete, do not cover the state of the art knowledge
>>> we have reached today, and many of them contain advice that is outdated.
>>>
>>> regards,
>>> Antonio
>>>
>>> --
>>> OWASP Geneva Chapter
>>> Contact: geneva at owasp.ch
>>> Twitter: @owasp_geneva
>>> Newsletter: https://lists.owasp.org/mailman/listinfo/owasp-geneva
>>>
>>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>>
>>> >>All they want is to delete the code entirely, which doesn’t make sense
>>> to me at all.
>>>
>>> Abbas their point is, that is not responsible to leave this open if no
>>> one is going to document or fix. I don't think is responsible to leave an
>>> insecure library. And Ii did take the time to read the issues they
>>> mentioned.
>>>
>>>  You  are the major responsible for your project, not the users that pin
>>> pointed the issues nor they should go and change when they have the opinion
>>> that the entire library does not serve the purpose.
>>>
>>> For people who wants to see whole thread can judge by themselves
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>> I even defend you as volunteer but I have the opinion that we have a
>>> responsibility towards users especially if you have not worked in this
>>> project for more than a year and have no time to fix issues in a security
>>> library.
>>>
>>> Even Sven who was a contributor in this project accepted that this
>>> library does not achieve its purpose and should not be available to users,
>>> is just not responsible.
>>>
>>> Sometimes we need to kill our darlings...
>>>
>>> Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org> wrote:
>>>
>>>> I’m perfectly fine with criticising and QAing projects.
>>>>
>>>> What I’m not fine with, is reading some blogs or posts somewhere,
>>>> without verifying their validity, and then putting the blame on our
>>>> contributors without proper investigation.
>>>>
>>>> This is not how we defend and motivate our community.
>>>>
>>>> Plus, the only solution for a “broken library” is either to fix it, or
>>>> to announce it as broken. These gentlemen insisting on removing the library
>>>> sounds like trolling to me. They even refuse to add a README file to the
>>>> Github repo which clearly states that
>>>> this project is inactive and insecure. All they want is to delete the
>>>> code entirely, which doesn’t make sense to me at all.
>>>>
>>>> I’m unhappy with your post, because you say “they have valid points”
>>>> without properly investgating. They think they didn’t make progress by
>>>> trolling on Github, and now are using you to reflect this issue on the
>>>> leaders list. You could’ve contacted me first and asked about this before
>>>> going public with it. I’m very unhappy with the process you have taken for
>>>> this, undermining a contributor completely.
>>>>
>>>> Regards
>>>> -Abbas
>>>>
>>>>
>>>> On Nov 25, 2015, at 1:44 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> >>If you’d want to keep your “users” happy and your “contributors”
>>>> unhappy, you should think of a commercial organisation instead of an open
>>>> one.
>>>>
>>>> I think this is a very difficult balance to do. I understand from your
>>>> pov as contributor but fact is, OWASP has also a reputation of being
>>>> 'secure' so probably the expectations are higher because we preach
>>>> security.
>>>>
>>>> Look ,I volunteer too but my proposals get questioned and criticised
>>>>  in a way that it feels to me  like I've been questioned as an employee and
>>>> not a volunteer, but in a certain way, if you look deeply, people
>>>> questioning my proposals wants to achieve goals that are aligned with OWASP
>>>> mission. And that means I have to work harder to present my arguments. Not
>>>> because the effort is 'volunteered' means it does not hold certain
>>>> responsabilities.
>>>>
>>>> Let  me ask you: Has this project ever been tested to verify how well
>>>> it works or not? Most projects at OWASP does not have any form of QA.
>>>> Security libraries hold more responsibility in this case.
>>>>
>>>> This is a security library and if it contains security issues then this
>>>> is a problem. This does not align with the mission, even if a lot of work
>>>> was put to create this project.
>>>>
>>>> I don't think they are trolling you. They have valid points and their
>>>> complain is that it is not responsible to leave this library to be used if
>>>> it holds these issues or are not properly explained. And is not only the
>>>> crypto issue.
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi < <abiusx at owasp.org>
>>>> abiusx at owasp.org> wrote:
>>>>
>>>>> I agree with all of that.
>>>>>
>>>>> This is an open source project. If they find issues, specially tiny
>>>>> issues that can be fixed with a few lines of code,
>>>>> they are welcome to do so. That is not grounds for deleting a project.
>>>>>
>>>>> The way I see it, is that they are trolling, and not helping. I have
>>>>> not created this library, and I’m only defending it because it is the right
>>>>> thing to do.
>>>>> If you’d want to keep your “users” happy and your “contributors”
>>>>> unhappy, you should think of a commercial organization instead of an open
>>>>> one.
>>>>>
>>>>> Regards
>>>>> -Abbas
>>>>>
>>>>> On Nov 25, 2015, at 1:25 PM, johanna curiel curiel <
>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Abbas
>>>>>
>>>>> I think they made very strong points and the project is right now
>>>>> inactive since it has not been updated in more than a year.
>>>>>
>>>>> The people commenting on your project have themselves quite reputation
>>>>> too.
>>>>>
>>>>> I think if these issues cannot be fixed by you since you are the
>>>>> leader and since the project is inactive, the best is to warn users.
>>>>> Sven who was a contributor also acknowledge the issues.
>>>>>
>>>>> By the way , from complains of multiple PHP developers in the github
>>>>> page of the project to now twitter means they are not happy and they are
>>>>> trying to escalate their concerns.Thats how I see this.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi < <abiusx at owasp.org>
>>>>> abiusx at owasp.org> wrote:
>>>>>
>>>>>> They are trying to troll the project.
>>>>>> Read the thread at
>>>>>> <https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446>
>>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>> realize that.
>>>>>> We have provided ample opportunity for them to contribute, fix, or
>>>>>> help the project.
>>>>>> All they want is to take the project down, which I obviously refuse.
>>>>>>
>>>>>> I don’t think it really hurts OWASP reputation. If anyone delves into
>>>>>> the technical discussions that would be apparent.
>>>>>> Regards
>>>>>> -Abbas
>>>>>>
>>>>>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel <
>>>>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Hi Erlend
>>>>>>
>>>>>> We are aware of the issues and remediation is underway ;-)
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico < <jim.manico at owasp.org>
>>>>>> jim.manico at owasp.org> wrote:
>>>>>>
>>>>>>> Yup, it's bad.
>>>>>>>
>>>>>>> Johanna Curiel and Claudia are leading the charge here. They are in
>>>>>>> the process of fully removing the project from GitHub. As in, right now…
>>>>>>>
>>>>>>> - Jim
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 11/25/15 7:50 PM, <erlend.oftedal at owasp.org>
>>>>>>> erlend.oftedal at owasp.org wrote:
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> See <https://twitter.com/voodooKobra/status/669537889500311553>
>>>>>>> https://twitter.com/voodooKobra/status/669537889500311553 and the
>>>>>>> link in that message.
>>>>>>>
>>>>>>> According to the OWASP website the project is inactive, yet
>>>>>>> contributions are made on github, and there are no signs of the project
>>>>>>> status on github.
>>>>>>> The crypto code is bad, as voodooKobra rightly points out. With a
>>>>>>> known key and iv, this encryption is useless.
>>>>>>> And the code is referenced from stackoverflow++.
>>>>>>>
>>>>>>> When deactivating a project we need to make sure the deactivation is
>>>>>>> clearly visble on github as well.
>>>>>>>
>>>>>>> Best regards
>>>>>>> Erlend Oftedal
>>>>>>> OWASP Norway
>>>>>>> @webtonull
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>>>>>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> <OWASP-Leaders at lists.owasp.org>OWASP-Leaders at lists.owasp.org
>>>>>> <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundationhttps://www.owasp.org
>>>
>>> ------------------------------
>>>
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/94ae3284/attachment-0001.html>


More information about the OWASP-Leaders mailing list