[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation

Jim Manico jim.manico at owasp.org
Wed Nov 25 19:24:53 UTC 2015


Sometimes project leaders get busy and abandon projects. No shame here, 
but the foundation needs to take over and mark the project as inactive.

Again, I think we are all on the same page much more that disagreeing.

I do think the project should be left public so folks who currently use 
it can visit the site and understand that it's no longer active. Also, 
someone who depends on this project may wish to pick it up and fix the 
problems.

These things cannot be done if the project is private.

So my vote is to label the project as inactive very clearly, take the 
comments from the experts and add them as GitHub issues and leave the 
project public so the inactivity and reported issues are clear.

Aloha,
Jim


On 11/25/15 9:21 PM, johanna curiel curiel wrote:
> Jim
>
> I requested claudia to set as 'inactive' and private until fix.
>
> Is only my opinion that users should be very aware of the risks in the 
> libraries.
>
> Deleting the code is imo not the same as setting a repository private.
>
> I believe Claudia has set it with a Readme as inactive and I think 
> this is  least responsibility towards users. I just don't understand 
> Abbas why had Sven to do this or Claudia who are not Project leaders. 
> That is at least a responsibility you have as project leader, not Sven 
> or Claudia.
>
> Deciding to delete the code was never proposed by me on the contrary 
> when proposed I mentioned in the same threat this is something different.
>
>
> regards
>
> Johana
>
> On Wed, Nov 25, 2015 at 3:12 PM, Abbas Naderi <abiusx at owasp.org 
> <mailto:abiusx at owasp.org>> wrote:
>
>     Making it private is basically the same thing as deleting it.
>
>     If you want to take over the project, be my guest. Things get less
>     and less open around here everyday after all.
>     Regards
>     -Abbas
>
>>     On Nov 25, 2015, at 2:10 PM, johanna curiel curiel
>>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>>
>>     Are you basically implying that any insecure project should be
>>     deleted? If that’s the case please provide me a list of OWASP
>>     projects and I’d be happy to report vulnerabilities, then we can
>>     delete them together.
>>
>>     I have not say to be deleted. I have asked Claudia to set the
>>     project as 'Private' so inexperience developers don't go and use
>>     this library until fix
>>
>>     By the way this is a 'security library' so the responsibility at
>>     this point is higher than other projects.
>>
>>     You can try to win  the experts critizing you, if you are able to
>>     accept and discuss with them, how can you together fix it and win
>>     their efforts
>>
>>
>>     regards
>>
>>     On Wed, Nov 25, 2015 at 3:05 PM, Abbas Naderi <abiusx at owasp.org
>>     <mailto:abiusx at owasp.org>> wrote:
>>
>>         Are you basically implying that any insecure project should
>>         be deleted? If that’s the case please provide me a list of
>>         OWASP projects and I’d be happy to report vulnerabilities,
>>         then we can delete them together.
>>
>>         How rational is that argument?
>>
>>         An insecure library needs to be labelled/patched, not
>>         removed. I think that’s enough for users to realize that this
>>         library is not secure, and provide a chance for open source
>>         contributors to fix the issues.
>>
>>         The project is by all means not my darling. I have not coded
>>         in the project, and I don’t remember a single line of code
>>         from that project. However, as my first sentence clearly
>>         stated,  your reasoning for what you are asking for is not
>>         very rational.
>>
>>         You could still contact me /before/ going public with this
>>         issue on the leaders list. To me, it seems like you’d rather
>>         have your goal accomplished rather than help solve things.
>>         And I’m really not in favor of that kind of behavior.
>>
>>         Regards
>>         -Abbas
>>
>>
>>>         On Nov 25, 2015, at 2:02 PM, johanna curiel curiel
>>>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>>>         wrote:
>>>
>>>         >>All they want is to delete the code entirely, which doesn’t
>>>         make sense to me at all.
>>>
>>>         Abbas their point is, that is not responsible to leave this
>>>         open if no one is going to document or fix. I don't think is
>>>         responsible to leave an insecure library. And Ii did take
>>>         the time to read the issues they mentioned.
>>>
>>>          You  are the major responsible for your project, not the
>>>         users that pin pointed the issues nor they should go and
>>>         change when they have the opinion that the entire library
>>>         does not serve the purpose.
>>>
>>>         For people who wants to see whole thread can judge by themselves
>>>         https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>>         I even defend you as volunteer but I have the opinion that
>>>         we have a responsibility towards users especially if you
>>>         have not worked in this project for more than a year and
>>>         have no time to fix issues in a security library.
>>>
>>>         Even Sven who was a contributor in this project accepted
>>>         that this library does not achieve its purpose and should
>>>         not be available to users, is just not responsible.
>>>
>>>         Sometimes we need to kill our darlings...
>>>
>>>         Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>>         Regards
>>>
>>>         Johanna
>>>
>>>         On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi
>>>         <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>
>>>             I’m perfectly fine with criticising and QAing projects.
>>>
>>>             What I’m not fine with, is reading some blogs or posts
>>>             somewhere, without verifying their validity, and then
>>>             putting the blame on our contributors without proper
>>>             investigation.
>>>
>>>             This is not how we defend and motivate our community.
>>>
>>>             Plus, the only solution for a “broken library” is either
>>>             to fix it, or to announce it as broken. These gentlemen
>>>             insisting on removing the library sounds like trolling
>>>             to me. They even refuse to add a README file to the
>>>             Github repo which clearly states that
>>>             this project is inactive and insecure. All they want is
>>>             to delete the code entirely, which doesn’t make sense to
>>>             me at all.
>>>
>>>             I’m unhappy with your post, because you say “they have
>>>             valid points” without properly investgating. They think
>>>             they didn’t make progress by trolling on Github, and now
>>>             are using you to reflect this issue on the leaders list.
>>>             You could’ve contacted me first and asked about this
>>>             before going public with it. I’m very unhappy with the
>>>             process you have taken for this, undermining a
>>>             contributor completely.
>>>
>>>             Regards
>>>             -Abbas
>>>
>>>
>>>>             On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>>             <johanna.curiel at owasp.org
>>>>             <mailto:johanna.curiel at owasp.org>> wrote:
>>>>
>>>>             >>If you’d want to keep your “users” happy and your
>>>>             “contributors” unhappy, you should think of a
>>>>             commercial organisation instead of an open one.
>>>>
>>>>             I think this is a very difficult balance to do. I
>>>>             understand from your pov as contributor but fact is,
>>>>             OWASP has also a reputation of being 'secure' so
>>>>             probably the expectations are higher because we preach
>>>>             security.
>>>>
>>>>             Look ,I volunteer too but my proposals get questioned
>>>>             and criticised  in a way that it feels to me  like I've
>>>>             been questioned as an employee and not a volunteer, but
>>>>             in a certain way, if you look deeply, people
>>>>             questioning my proposals wants to achieve goals that
>>>>             are aligned with OWASP mission. And that means I have
>>>>             to work harder to present my arguments. Not because the
>>>>             effort is 'volunteered' means it does not hold certain
>>>>             responsabilities.
>>>>
>>>>             Let  me ask you: Has this project ever been tested to
>>>>             verify how well it works or not? Most projects at OWASP
>>>>             does not have any form of QA. Security libraries hold
>>>>             more responsibility in this case.
>>>>
>>>>             This is a security library and if it contains security
>>>>             issues then this is a problem. This does not align with
>>>>             the mission, even if a lot of work was put to create
>>>>             this project.
>>>>
>>>>             I don't think they are trolling you. They have valid
>>>>             points and their complain is that it is not responsible
>>>>             to leave this library to be used if it holds these
>>>>             issues or are not properly explained. And is not only
>>>>             the crypto issue.
>>>>
>>>>             Regards
>>>>
>>>>             Johanna
>>>>
>>>>             On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi
>>>>             <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>>                 I agree with all of that.
>>>>
>>>>                 This is an open source project. If they find
>>>>                 issues, specially tiny issues that can be fixed
>>>>                 with a few lines of code,
>>>>                 they are welcome to do so. That is not grounds for
>>>>                 deleting a project.
>>>>
>>>>                 The way I see it, is that they are trolling, and
>>>>                 not helping. I have not created this library, and
>>>>                 I’m only defending it because it is the right thing
>>>>                 to do.
>>>>                 If you’d want to keep your “users” happy and your
>>>>                 “contributors” unhappy, you should think of a
>>>>                 commercial organization instead of an open one.
>>>>
>>>>                 Regards
>>>>                 -Abbas
>>>>
>>>>>                 On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>>                 <johanna.curiel at owasp.org
>>>>>                 <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>
>>>>>                 Abbas
>>>>>
>>>>>                 I think they made very strong points and the
>>>>>                 project is right now inactive since it has not
>>>>>                 been updated in more than a year.
>>>>>
>>>>>                 The people commenting on your project have
>>>>>                 themselves quite reputation too.
>>>>>
>>>>>                 I think if these issues cannot be fixed by you
>>>>>                 since you are the leader and since the project is
>>>>>                 inactive, the best is to warn users.
>>>>>                 Sven who was a contributor also acknowledge the
>>>>>                 issues.
>>>>>
>>>>>                 By the way , from complains of multiple PHP
>>>>>                 developers in the github page of the project to
>>>>>                 now twitter means they are not happy and they are
>>>>>                 trying to escalate their concerns.Thats how I see
>>>>>                 this.
>>>>>
>>>>>                 regards
>>>>>
>>>>>                 Johanna
>>>>>
>>>>>                 On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>>                 <abiusx at owasp.org <mailto:abiusx at owasp.org>> wrote:
>>>>>
>>>>>                     They are trying to troll the project.
>>>>>                     Read the thread at
>>>>>                     https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>>                     realize that.
>>>>>                     We have provided ample opportunity for them to
>>>>>                     contribute, fix, or help the project.
>>>>>                     All they want is to take the project down,
>>>>>                     which I obviously refuse.
>>>>>
>>>>>                     I don’t think it really hurts OWASP
>>>>>                     reputation. If anyone delves into the
>>>>>                     technical discussions that would be apparent.
>>>>>                     Regards
>>>>>                     -Abbas
>>>>>
>>>>>>                     On Nov 25, 2015, at 1:17 PM, johanna curiel
>>>>>>                     curiel <johanna.curiel at owasp.org
>>>>>>                     <mailto:johanna.curiel at owasp.org>> wrote:
>>>>>>
>>>>>>                     Hi Erlend
>>>>>>
>>>>>>                     We are aware of the issues and remediation is
>>>>>>                     underway ;-)
>>>>>>
>>>>>>                     regards
>>>>>>
>>>>>>                     Johanna
>>>>>>
>>>>>>                     On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>>                     <jim.manico at owasp.org
>>>>>>                     <mailto:jim.manico at owasp.org>> wrote:
>>>>>>
>>>>>>                         Yup, it's bad.
>>>>>>
>>>>>>                         Johanna Curiel and Claudia are leading
>>>>>>                         the charge here. They are in the process
>>>>>>                         of fully removing the project from
>>>>>>                         GitHub. As in, right now…
>>>>>>
>>>>>>                         - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>>                         On 11/25/15 7:50 PM,
>>>>>>                         erlend.oftedal at owasp.org
>>>>>>                         <mailto:erlend.oftedal at owasp.org> wrote:
>>>>>>>                         Hi
>>>>>>>
>>>>>>>                         See
>>>>>>>                         https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>>                         and the link in that message.
>>>>>>>
>>>>>>>                         According to the OWASP website the
>>>>>>>                         project is inactive, yet contributions
>>>>>>>                         are made on github, and there are no
>>>>>>>                         signs of the project status on github.
>>>>>>>                         The crypto code is bad, as voodooKobra
>>>>>>>                         rightly points out. With a known key and
>>>>>>>                         iv, this encryption is useless.
>>>>>>>                         And the code is referenced from
>>>>>>>                         stackoverflow++.
>>>>>>>
>>>>>>>                         When deactivating a project we need to
>>>>>>>                         make sure the deactivation is clearly
>>>>>>>                         visble on github as well.
>>>>>>>
>>>>>>>                         Best regards
>>>>>>>                         Erlend Oftedal
>>>>>>>                         OWASP Norway
>>>>>>>                         @webtonull
>>>>>>>
>>>>>>>
>>>>>>>                         _______________________________________________
>>>>>>>                         OWASP-Leaders mailing list
>>>>>>>                         OWASP-Leaders at lists.owasp.org
>>>>>>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>                         _______________________________________________
>>>>>>                         OWASP-Leaders mailing list
>>>>>>                         OWASP-Leaders at lists.owasp.org
>>>>>>                         <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>>                     _______________________________________________
>>>>>>                     OWASP-Leaders mailing list
>>>>>>                     OWASP-Leaders at lists.owasp.org
>>>>>>                     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151125/a78e9c69/attachment-0001.html>


More information about the OWASP-Leaders mailing list