[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation
Jim Manico
jim.manico at owasp.org
Thu Dec 3 00:43:33 UTC 2015
I submitted a request to Kate/Claudia/Matt to have this redirected to
the GitHub site ( https://github.com/OWASP/phpsec ) which clearly shows
the project is inactive (and has security flaws) as well as a link to
the old code tree if folks want to revive it.
- Jim
On 12/2/15 12:38 PM, Tony Turner wrote:
>
> This is still ongoing and needs another look.
> https://github.com/OWASP/phpsec/issues/120#issuecomment-161396666
>
> Need the phpsec.owasp.org <http://phpsec.owasp.org> page updated
> probably.
>
> On Nov 26, 2015 3:17 AM, "AF" <antonio.fontes at owasp.org
> <mailto:antonio.fontes at owasp.org>> wrote:
>
> s/GAMA/GAFA/
>
> Sorry.
> (sent with mobile, please excuse any excessive brevity or typo)
> --
> Antonio Fontes
> OWASP Switzerland, board member
> OWASP Geneva, chapter leader
> skype: antonio.fontes
>
> On November 26, 2015 8:30:17 AM GMT+01:00, AF
> <antonio.fontes at owasp.org <mailto:antonio.fontes at owasp.org>> wrote:
>
> Yes, agree. I'd rather see it flagged than not see it at all.
>
> Cheers,
> Antonio
>
>
> PS: We all know that deleting content on user's request is
> nope. GAMA are wonderful teachers ;)
> (sent with mobile, please excuse any excessive brevity or typo)
> --
> Antonio Fontes
> OWASP Switzerland, board member
> OWASP Geneva, chapter leader
> skype: antonio.fontes
>
> On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico
> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>
> The project is still live and will continue to be.
>
> https://github.com/OWASP/phpsec
>
> 1) It's been labeled clearly as abandoned, which is fair
> to say I think (In both GitHub and the Wiki).
> 2) The codebase has been deleted from the main branch
> 3) For anyone who wishes to revive this project, all the
> code is in the project history
>
> I think this is a fair balance of all concerns.
>
> Aloha,
> Jim
>
>
> On 11/26/15 1:46 AM, Antonio Fontes wrote:
>> Hi,
>>
>> I agree with Abbas on this point.
>>
>> OWASP has a responsibility to warn users when a library
>> project is inactive, unmaintained and/or was identified
>> as broken by experts in the domain (if it really is,
>> disclaimer: I have only read the content posed in the
>> leaders list).
>>
>> However, I don't see a valid rationale behind the
>> decision to suppress it entirely. Users don't get to
>> decide what gets suppressed or not from the web,
>> especially when the content doesn't belong to them, more
>> especially when the argument is "it's not clean", and
>> even more especially when the request for deletion comes
>> from "crypto-experts" (I want to see the badge first).
>>
>> Our mission as OWASP leaders is to lead, not to baby-sit
>> people, who download code marked as unsafe and abandoned,
>> and install it in their organization's systems.
>>
>> If we abide by this rationale, then we should suppress
>> all previous versions of the OWASP guides that are
>> currently available for download as archives.
>> Most of them are incomplete, do not cover the state of
>> the art knowledge we have reached today, and many of them
>> contain advice that is outdated.
>>
>> regards,
>> Antonio
>>
>> --
>> OWASP Geneva Chapter
>> Contact:geneva at owasp.ch <mailto:geneva at owasp.ch>
>> Twitter: @owasp_geneva
>> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>> >>All they want is to delete the code entirely, which doesn’t
>>> make sense to me at all.
>>>
>>> Abbas their point is, that is not responsible to leave
>>> this open if no one is going to document or fix. I don't
>>> think is responsible to leave an insecure library. And
>>> Ii did take the time to read the issues they mentioned.
>>>
>>> You are the major responsible for your project, not
>>> the users that pin pointed the issues nor they should go
>>> and change when they have the opinion that the entire
>>> library does not serve the purpose.
>>>
>>> For people who wants to see whole thread can judge by
>>> themselves
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>> I even defend you as volunteer but I have the opinion
>>> that we have a responsibility towards users especially
>>> if you have not worked in this project for more than a
>>> year and have no time to fix issues in a security library.
>>>
>>> Even Sven who was a contributor in this project accepted
>>> that this library does not achieve its purpose and
>>> should not be available to users, is just not responsible.
>>>
>>> Sometimes we need to kill our darlings...
>>>
>>> Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi
>>> <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>
>>> I’m perfectly fine with criticising and QAing projects.
>>>
>>> What I’m not fine with, is reading some blogs or
>>> posts somewhere, without verifying their validity,
>>> and then putting the blame on our contributors
>>> without proper investigation.
>>>
>>> This is not how we defend and motivate our community.
>>>
>>> Plus, the only solution for a “broken library” is
>>> either to fix it, or to announce it as broken. These
>>> gentlemen insisting on removing the library sounds
>>> like trolling to me. They even refuse to add a
>>> README file to the Github repo which clearly states
>>> that
>>> this project is inactive and insecure. All they want
>>> is to delete the code entirely, which doesn’t make
>>> sense to me at all.
>>>
>>> I’m unhappy with your post, because you say “they
>>> have valid points” without properly investgating.
>>> They think they didn’t make progress by trolling on
>>> Github, and now are using you to reflect this issue
>>> on the leaders list. You could’ve contacted me first
>>> and asked about this before going public with it.
>>> I’m very unhappy with the process you have taken for
>>> this, undermining a contributor completely.
>>>
>>> Regards
>>> -Abbas
>>>
>>>
>>>> On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>> <johanna.curiel at owasp.org
>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>> >>If you’d want to keep your “users” happy and your
>>>> “contributors” unhappy, you should think of a
>>>> commercial organisation instead of an open one.
>>>>
>>>> I think this is a very difficult balance to do. I
>>>> understand from your pov as contributor but fact
>>>> is, OWASP has also a reputation of being 'secure'
>>>> so probably the expectations are higher because we
>>>> preach security.
>>>>
>>>> Look ,I volunteer too but my proposals get
>>>> questioned and criticised in a way that it feels
>>>> to me like I've been questioned as an employee and
>>>> not a volunteer, but in a certain way, if you look
>>>> deeply, people questioning my proposals wants to
>>>> achieve goals that are aligned with OWASP mission.
>>>> And that means I have to work harder to present my
>>>> arguments. Not because the effort is 'volunteered'
>>>> means it does not hold certain responsabilities.
>>>>
>>>> Let me ask you: Has this project ever been tested
>>>> to verify how well it works or not? Most projects
>>>> at OWASP does not have any form of QA. Security
>>>> libraries hold more responsibility in this case.
>>>>
>>>> This is a security library and if it contains
>>>> security issues then this is a problem. This does
>>>> not align with the mission, even if a lot of work
>>>> was put to create this project.
>>>>
>>>> I don't think they are trolling you. They have
>>>> valid points and their complain is that it is not
>>>> responsible to leave this library to be used if it
>>>> holds these issues or are not properly explained.
>>>> And is not only the crypto issue.
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi
>>>> <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>> I agree with all of that.
>>>>
>>>> This is an open source project. If they find
>>>> issues, specially tiny issues that can be fixed
>>>> with a few lines of code,
>>>> they are welcome to do so. That is not grounds
>>>> for deleting a project.
>>>>
>>>> The way I see it, is that they are trolling,
>>>> and not helping. I have not created this
>>>> library, and I’m only defending it because it
>>>> is the right thing to do.
>>>> If you’d want to keep your “users” happy and
>>>> your “contributors” unhappy, you should think
>>>> of a commercial organization instead of an open
>>>> one.
>>>>
>>>> Regards
>>>> -Abbas
>>>>
>>>>> On Nov 25, 2015, at 1:25 PM, johanna curiel
>>>>> curiel <johanna.curiel at owasp.org
>>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>
>>>>> Abbas
>>>>>
>>>>> I think they made very strong points and the
>>>>> project is right now inactive since it has not
>>>>> been updated in more than a year.
>>>>>
>>>>> The people commenting on your project have
>>>>> themselves quite reputation too.
>>>>>
>>>>> I think if these issues cannot be fixed by you
>>>>> since you are the leader and since the project
>>>>> is inactive, the best is to warn users.
>>>>> Sven who was a contributor also acknowledge
>>>>> the issues.
>>>>>
>>>>> By the way , from complains of multiple PHP
>>>>> developers in the github page of the project
>>>>> to now twitter means they are not happy and
>>>>> they are trying to escalate their
>>>>> concerns.Thats how I see this.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>> <abiusx at owasp.org <mailto:abiusx at owasp.org>>
>>>>> wrote:
>>>>>
>>>>> They are trying to troll the project.
>>>>> Read the thread at
>>>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>> realize that.
>>>>> We have provided ample opportunity for
>>>>> them to contribute, fix, or help the project.
>>>>> All they want is to take the project down,
>>>>> which I obviously refuse.
>>>>>
>>>>> I don’t think it really hurts OWASP
>>>>> reputation. If anyone delves into the
>>>>> technical discussions that would be apparent.
>>>>> Regards
>>>>> -Abbas
>>>>>
>>>>>> On Nov 25, 2015, at 1:17 PM, johanna
>>>>>> curiel curiel <johanna.curiel at owasp.org
>>>>>> <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>>
>>>>>> Hi Erlend
>>>>>>
>>>>>> We are aware of the issues and
>>>>>> remediation is underway ;-)
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim
>>>>>> Manico <jim.manico at owasp.org
>>>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>>>
>>>>>> Yup, it's bad.
>>>>>>
>>>>>> Johanna Curiel and Claudia are
>>>>>> leading the charge here. They are in
>>>>>> the process of fully removing the
>>>>>> project from GitHub. As in, right now…
>>>>>>
>>>>>> - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 11/25/15 7:50 PM,
>>>>>> erlend.oftedal at owasp.org
>>>>>> <mailto:erlend.oftedal at owasp.org> wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> See
>>>>>>> https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>> and the link in that message.
>>>>>>>
>>>>>>> According to the OWASP website the
>>>>>>> project is inactive, yet
>>>>>>> contributions are made on github,
>>>>>>> and there are no signs of the
>>>>>>> project status on github.
>>>>>>> The crypto code is bad, as
>>>>>>> voodooKobra rightly points out. With
>>>>>>> a known key and iv, this encryption
>>>>>>> is useless.
>>>>>>> And the code is referenced from
>>>>>>> stackoverflow++.
>>>>>>>
>>>>>>> When deactivating a project we need
>>>>>>> to make sure the deactivation is
>>>>>>> clearly visble on github as well.
>>>>>>>
>>>>>>> Best regards
>>>>>>> Erlend Oftedal
>>>>>>> OWASP Norway
>>>>>>> @webtonull
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
>
> ------------------------------------------------------------------------
>
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________ OWASP-Leaders
> mailing list OWASP-Leaders at lists.owasp.org
> <mailto:OWASP-Leaders at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/3a7d3b1c/attachment-0001.html>
More information about the OWASP-Leaders
mailing list