[Owasp-leaders] Poor crypto code in OWASP phpsec hurts our reputation
AF
antonio.fontes at owasp.org
Thu Nov 26 07:30:17 UTC 2015
Yes, agree. I'd rather see it flagged than not see it at all.
Cheers,
Antonio
PS: We all know that deleting content on user's request is nope. GAMA are wonderful teachers ;)
(sent with mobile, please excuse any excessive brevity or typo)
--
Antonio Fontes
OWASP Switzerland, board member
OWASP Geneva, chapter leader
skype: antonio.fontes
On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico <jim.manico at owasp.org> wrote:
>The project is still live and will continue to be.
>
>https://github.com/OWASP/phpsec
>
>1) It's been labeled clearly as abandoned, which is fair to say I think
>
>(In both GitHub and the Wiki).
>2) The codebase has been deleted from the main branch
>3) For anyone who wishes to revive this project, all the code is in the
>
>project history
>
>I think this is a fair balance of all concerns.
>
>Aloha,
>Jim
>
>
>On 11/26/15 1:46 AM, Antonio Fontes wrote:
>> Hi,
>>
>> I agree with Abbas on this point.
>>
>> OWASP has a responsibility to warn users when a library project is
>> inactive, unmaintained and/or was identified as broken by experts in
>> the domain (if it really is, disclaimer: I have only read the content
>
>> posed in the leaders list).
>>
>> However, I don't see a valid rationale behind the decision to
>suppress
>> it entirely. Users don't get to decide what gets suppressed or not
>> from the web, especially when the content doesn't belong to them,
>more
>> especially when the argument is "it's not clean", and even more
>> especially when the request for deletion comes from "crypto-experts"
>> (I want to see the badge first).
>>
>> Our mission as OWASP leaders is to lead, not to baby-sit people, who
>> download code marked as unsafe and abandoned, and install it in their
>
>> organization's systems.
>>
>> If we abide by this rationale, then we should suppress all previous
>> versions of the OWASP guides that are currently available for
>download
>> as archives.
>> Most of them are incomplete, do not cover the state of the art
>> knowledge we have reached today, and many of them contain advice that
>
>> is outdated.
>>
>> regards,
>> Antonio
>>
>> --
>> OWASP Geneva Chapter
>> Contact:geneva at owasp.ch
>> Twitter: @owasp_geneva
>> Newsletter:https://lists.owasp.org/mailman/listinfo/owasp-geneva
>> On 11/25/2015 8:02 PM, johanna curiel curiel wrote:
>>> >>All they want is to delete the code entirely, which doesn’t make
>sense to me
>>> at all.
>>>
>>> Abbas their point is, that is not responsible to leave this open if
>>> no one is going to document or fix. I don't think is responsible to
>>> leave an insecure library. And Ii did take the time to read the
>>> issues they mentioned.
>>>
>>> You are the major responsible for your project, not the users that
>
>>> pin pointed the issues nor they should go and change when they have
>>> the opinion that the entire library does not serve the purpose.
>>>
>>> For people who wants to see whole thread can judge by themselves
>>> https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690
>>>
>>> I even defend you as volunteer but I have the opinion that we have a
>
>>> responsibility towards users especially if you have not worked in
>>> this project for more than a year and have no time to fix issues in
>a
>>> security library.
>>>
>>> Even Sven who was a contributor in this project accepted that this
>>> library does not achieve its purpose and should not be available to
>>> users, is just not responsible.
>>>
>>> Sometimes we need to kill our darlings...
>>>
>>> Btw I'm just a contributor as you are.
>>>
>>>
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>> On Wed, Nov 25, 2015 at 2:47 PM, Abbas Naderi <abiusx at owasp.org
>>> <mailto:abiusx at owasp.org>> wrote:
>>>
>>> I’m perfectly fine with criticising and QAing projects.
>>>
>>> What I’m not fine with, is reading some blogs or posts
>somewhere,
>>> without verifying their validity, and then putting the blame on
>>> our contributors without proper investigation.
>>>
>>> This is not how we defend and motivate our community.
>>>
>>> Plus, the only solution for a “broken library” is either to fix
>>> it, or to announce it as broken. These gentlemen insisting on
>>> removing the library sounds like trolling to me. They even
>refuse
>>> to add a README file to the Github repo which clearly states
>that
>>> this project is inactive and insecure. All they want is to
>delete
>>> the code entirely, which doesn’t make sense to me at all.
>>>
>>> I’m unhappy with your post, because you say “they have valid
>>> points” without properly investgating. They think they didn’t
>>> make progress by trolling on Github, and now are using you to
>>> reflect this issue on the leaders list. You could’ve contacted
>me
>>> first and asked about this before going public with it. I’m very
>>> unhappy with the process you have taken for this, undermining a
>>> contributor completely.
>>>
>>> Regards
>>> -Abbas
>>>
>>>
>>>> On Nov 25, 2015, at 1:44 PM, johanna curiel curiel
>>>> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>wrote:
>>>>
>>>> >>If you’d want to keep your “users” happy and your
>>>> “contributors” unhappy, you should think of a
>>>> commercial organisation instead of an open one.
>>>>
>>>> I think this is a very difficult balance to do. I understand
>>>> from your pov as contributor but fact is, OWASP has also a
>>>> reputation of being 'secure' so probably the expectations are
>>>> higher because we preach security.
>>>>
>>>> Look ,I volunteer too but my proposals get questioned and
>>>> criticised in a way that it feels to me like I've been
>>>> questioned as an employee and not a volunteer, but in a certain
>>>> way, if you look deeply, people questioning my proposals wants
>>>> to achieve goals that are aligned with OWASP mission. And that
>>>> means I have to work harder to present my arguments. Not
>because
>>>> the effort is 'volunteered' means it does not hold certain
>>>> responsabilities.
>>>>
>>>> Let me ask you: Has this project ever been tested to verify
>how
>>>> well it works or not? Most projects at OWASP does not have any
>>>> form of QA. Security libraries hold more responsibility in this
>>>> case.
>>>>
>>>> This is a security library and if it contains security issues
>>>> then this is a problem. This does not align with the mission,
>>>> even if a lot of work was put to create this project.
>>>>
>>>> I don't think they are trolling you. They have valid points and
>>>> their complain is that it is not responsible to leave this
>>>> library to be used if it holds these issues or are not properly
>>>> explained. And is not only the crypto issue.
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>> On Wed, Nov 25, 2015 at 2:28 PM, Abbas Naderi <abiusx at owasp.org
>>>> <mailto:abiusx at owasp.org>> wrote:
>>>>
>>>> I agree with all of that.
>>>>
>>>> This is an open source project. If they find issues,
>>>> specially tiny issues that can be fixed with a few lines of
>>>> code,
>>>> they are welcome to do so. That is not grounds for deleting
>>>> a project.
>>>>
>>>> The way I see it, is that they are trolling, and not
>>>> helping. I have not created this library, and I’m only
>>>> defending it because it is the right thing to do.
>>>> If you’d want to keep your “users” happy and your
>>>> “contributors” unhappy, you should think of a commercial
>>>> organization instead of an open one.
>>>>
>>>> Regards
>>>> -Abbas
>>>>
>>>>> On Nov 25, 2015, at 1:25 PM, johanna curiel curiel
>>>>> <johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Abbas
>>>>>
>>>>> I think they made very strong points and the project is
>>>>> right now inactive since it has not been updated in more
>>>>> than a year.
>>>>>
>>>>> The people commenting on your project have themselves
>quite
>>>>> reputation too.
>>>>>
>>>>> I think if these issues cannot be fixed by you since you
>>>>> are the leader and since the project is inactive, the best
>>>>> is to warn users.
>>>>> Sven who was a contributor also acknowledge the issues.
>>>>>
>>>>> By the way , from complains of multiple PHP developers in
>>>>> the github page of the project to now twitter means they
>>>>> are not happy and they are trying to escalate their
>>>>> concerns.Thats how I see this.
>>>>>
>>>>> regards
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Wed, Nov 25, 2015 at 2:20 PM, Abbas Naderi
>>>>> <abiusx at owasp.org> wrote:
>>>>>
>>>>> They are trying to troll the project.
>>>>> Read the thread at
>>>>>
>https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446 to
>>>>> realize that.
>>>>> We have provided ample opportunity for them to
>>>>> contribute, fix, or help the project.
>>>>> All they want is to take the project down, which I
>>>>> obviously refuse.
>>>>>
>>>>> I don’t think it really hurts OWASP reputation. If
>>>>> anyone delves into the technical discussions that
>would
>>>>> be apparent.
>>>>> Regards
>>>>> -Abbas
>>>>>
>>>>>> On Nov 25, 2015, at 1:17 PM, johanna curiel curiel
>>>>>> <johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Hi Erlend
>>>>>>
>>>>>> We are aware of the issues and remediation is
>underway ;-)
>>>>>>
>>>>>> regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Wed, Nov 25, 2015 at 1:54 PM, Jim Manico
>>>>>> <jim.manico at owasp.org> wrote:
>>>>>>
>>>>>> Yup, it's bad.
>>>>>>
>>>>>> Johanna Curiel and Claudia are leading the charge
>>>>>> here. They are in the process of fully removing
>>>>>> the project from GitHub. As in, right now…
>>>>>>
>>>>>> - Jim
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 11/25/15 7:50 PM, erlend.oftedal at owasp.org
>wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> See
>>>>>>>
>https://twitter.com/voodooKobra/status/669537889500311553
>>>>>>> and the link in that message.
>>>>>>>
>>>>>>> According to the OWASP website the project is
>>>>>>> inactive, yet contributions are made on github,
>>>>>>> and there are no signs of the project status on
>>>>>>> github.
>>>>>>> The crypto code is bad, as voodooKobra rightly
>>>>>>> points out. With a known key and iv, this
>>>>>>> encryption is useless.
>>>>>>> And the code is referenced from stackoverflow++.
>>>>>>>
>>>>>>> When deactivating a project we need to make sure
>>>>>>> the deactivation is clearly visble on github as
>well.
>>>>>>>
>>>>>>> Best regards
>>>>>>> Erlend Oftedal
>>>>>>> OWASP Norway
>>>>>>> @webtonull
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>>>>>>
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>--
>Jim Manico
>Global Board Member
>OWASP Foundation
>https://www.owasp.org
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OWASP-Leaders mailing list
>OWASP-Leaders at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151126/32857d60/attachment-0001.html>
More information about the OWASP-Leaders
mailing list