[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation
johanna curiel curiel
johanna.curiel at owasp.org
Wed Nov 25 18:25:15 UTC 2015
I think they made very strong points and the project is right now inactive
since it has not been updated in more than a year.
The people commenting on your project have themselves quite reputation too.
I think if these issues cannot be fixed by you since you are the leader and
since the project is inactive, the best is to warn users.
Sven who was a contributor also acknowledge the issues.
By the way , from complains of multiple PHP developers in the github page
of the project to now twitter means they are not happy and they are trying
to escalate their concerns.Thats how I see this.
On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi <abiusx at owasp.org> wrote:
> They are trying to troll the project.
> Read the thread at
> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
> realize that.
> We have provided ample opportunity for them to contribute, fix, or help
> the project.
> All they want is to take the project down, which I obviously refuse.
> I don’t think it really hurts OWASP reputation. If anyone delves into the
> technical discussions that would be apparent.
> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
> Hi Erlend
> We are aware of the issues and remediation is underway ;-)
> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Yup, it's bad.
>> Johanna Curiel and Claudia are leading the charge here. They are in the
>> process of fully removing the project from GitHub. As in, right now…
>> - Jim
>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org wrote:
>> See https://twitter.com/voodooKobra/status/669537889500311553 and the
>> link in that message.
>> According to the OWASP website the project is inactive, yet contributions
>> are made on github, and there are no signs of the project status on github.
>> The crypto code is bad, as voodooKobra rightly points out. With a known
>> key and iv, this encryption is useless.
>> And the code is referenced from stackoverflow++.
>> When deactivating a project we need to make sure the deactivation is
>> clearly visble on github as well.
>> Best regards
>> Erlend Oftedal
>> OWASP Norway
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders