[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 18:25:15 UTC 2015


Abbas

I think they made very strong points and the project is right now inactive
since it has not been updated in more than a year.

The people commenting on your project have themselves quite reputation too.

I think if these issues cannot be fixed by you since you are the leader and
since the project is inactive, the best is to warn users.
Sven who was a contributor also acknowledge the issues.

By the way , from complains of multiple PHP developers in the github page
of the project to now twitter means they are not happy and they are trying
to escalate their concerns.Thats how I see this.

regards

Johanna

On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi <abiusx at owasp.org> wrote:

> They are trying to troll the project.
> Read the thread at
> https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
> realize that.
> We have provided ample opportunity for them to contribute, fix, or help
> the project.
> All they want is to take the project down, which I obviously refuse.
>
> I don’t think it really hurts OWASP reputation. If anyone delves into the
> technical discussions that would be apparent.
> Regards
> -Abbas
>
> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Hi Erlend
>
> We are aware of the issues and remediation is underway ;-)
>
> regards
>
> Johanna
>
> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Yup, it's bad.
>>
>> Johanna Curiel and Claudia are leading the charge here. They are in the
>> process of fully removing the project from GitHub. As in, right now…
>>
>> - Jim
>>
>>
>>
>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org wrote:
>>
>> Hi
>>
>> See https://twitter.com/voodooKobra/status/669537889500311553 and the
>> link in that message.
>>
>> According to the OWASP website the project is inactive, yet contributions
>> are made on github, and there are no signs of the project status on github.
>> The crypto code is bad, as voodooKobra rightly points out. With a known
>> key and iv, this encryption is useless.
>> And the code is referenced from stackoverflow++.
>>
>> When deactivating a project we need to make sure the deactivation is
>> clearly visble on github as well.
>>
>> Best regards
>> Erlend Oftedal
>> OWASP Norway
>> @webtonull
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/d8be2e5d/attachment-0001.html>


More information about the OWASP-Leaders mailing list