[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Abbas Naderi abiusx at owasp.org
Wed Nov 25 18:28:23 UTC 2015


I agree with all of that.

This is an open source project. If they find issues, specially tiny issues that can be fixed with a few lines of code,
they are welcome to do so. That is not grounds for deleting a project.

The way I see it, is that they are trolling, and not helping. I have not created this library, and I’m only defending it because it is the right thing to do.
If you’d want to keep your “users” happy and your “contributors” unhappy, you should think of a commercial organization instead of an open one.

Regards
-Abbas

> On Nov 25, 2015, at 1:25 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> Abbas
> 
> I think they made very strong points and the project is right now inactive since it has not been updated in more than a year.
> 
> The people commenting on your project have themselves quite reputation too.
> 
> I think if these issues cannot be fixed by you since you are the leader and since the project is inactive, the best is to warn users.
> Sven who was a contributor also acknowledge the issues.
> 
> By the way , from complains of multiple PHP developers in the github page of the project to now twitter means they are not happy and they are trying to escalate their concerns.Thats how I see this.
> 
> regards
> 
> Johanna
> 
> On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
> They are trying to troll the project.
> Read the thread at https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 <https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446> to realize that.
> We have provided ample opportunity for them to contribute, fix, or help the project.
> All they want is to take the project down, which I obviously refuse.
> 
> I don’t think it really hurts OWASP reputation. If anyone delves into the technical discussions that would be apparent.
> Regards
> -Abbas
> 
>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>> 
>> Hi Erlend
>> 
>> We are aware of the issues and remediation is underway ;-)
>> 
>> regards
>> 
>> Johanna
>> 
>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>> Yup, it's bad.
>> 
>> Johanna Curiel and Claudia are leading the charge here. They are in the process of fully removing the project from GitHub. As in, right now…
>> 
>> - Jim
>> 
>> 
>> 
>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org <mailto:erlend.oftedal at owasp.org> wrote:
>>> Hi
>>> 
>>> See https://twitter.com/voodooKobra/status/669537889500311553 <https://twitter.com/voodooKobra/status/669537889500311553> and the link in that message. 
>>> 
>>> According to the OWASP website the project is inactive, yet contributions are made on github, and there are no signs of the project status on github.
>>> The crypto code is bad, as voodooKobra rightly points out. With a known key and iv, this encryption is useless.
>>> And the code is referenced from stackoverflow++.
>>> 
>>> When deactivating a project we need to make sure the deactivation is clearly visble on github as well.
>>> 
>>> Best regards
>>> Erlend Oftedal
>>> OWASP Norway
>>> @webtonull
>>> 
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders <https://lists.owasp.org/mailman/listinfo/owasp-leaders>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/da68a78e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3571 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/da68a78e/attachment.bin>


More information about the OWASP-Leaders mailing list