<p dir="ltr">This is still ongoing and needs another look. <a href="https://github.com/OWASP/phpsec/issues/120#issuecomment-161396666">https://github.com/OWASP/phpsec/issues/120#issuecomment-161396666</a></p>
<p dir="ltr">Need the <a href="http://phpsec.owasp.org">phpsec.owasp.org</a> page updated probably. </p>
<div class="gmail_quote">On Nov 26, 2015 3:17 AM, "AF" <<a href="mailto:antonio.fontes@owasp.org">antonio.fontes@owasp.org</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">s/GAMA/GAFA/<br>
<br>
Sorry.<br>
(sent with mobile, please excuse any excessive brevity or typo) <br>
--<br>
Antonio Fontes<br>
OWASP Switzerland, board member<br>
OWASP Geneva, chapter leader<br>
  skype: antonio.fontes<br><br><div class="gmail_quote">On November 26, 2015 8:30:17 AM GMT+01:00, AF <<a href="mailto:antonio.fontes@owasp.org" target="_blank">antonio.fontes@owasp.org</a>> wrote:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Yes, agree. I'd rather see it flagged than not see it at all.<br>
<br>
Cheers,<br>
Antonio<br>
<br>
<br>
PS: We all know that deleting content on  user's request is nope. GAMA are wonderful teachers ;)<br>
(sent with mobile, please excuse any excessive brevity or typo) <br>
--<br>
Antonio Fontes<br>
OWASP Switzerland, board member<br>
OWASP Geneva, chapter leader<br>
  skype: antonio.fontes<br><br><div class="gmail_quote">On November 26, 2015 1:20:44 AM GMT+01:00, Jim Manico <<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>> wrote:<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

  
    
  
  
    The project is still live and will continue to be.<br>
    <br>
    <a href="https://github.com/OWASP/phpsec" target="_blank">https://github.com/OWASP/phpsec</a><br>
    <br>
    1) It's been labeled clearly as abandoned, which is fair to say I
    think (In both GitHub and the Wiki).<br>
    2) The codebase has been deleted from the main branch<br>
    3) For anyone who wishes to revive this project, all the code is in
    the project history<br>
    <br>
    I think this is a fair balance of all concerns.<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div>On 11/26/15 1:46 AM, Antonio Fontes
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      Hi, <br>
      <br>
      I agree with Abbas on this point. <br>
      <br>
      OWASP has a responsibility to warn users when a library project is
      inactive, unmaintained and/or was identified as broken by experts
      in the domain (if it really is, disclaimer: I have only read the
      content posed in the leaders list). <br>
      <br>
      However, I don't see a valid rationale behind the decision to
      suppress it entirely. Users don't get to decide what gets
      suppressed or not from the web, especially when the content
      doesn't belong to them, more especially when the argument is "it's
      not clean", and even more especially when the request for deletion
      comes from "crypto-experts" (I want to see the badge first). <br>
      <br>
      Our mission as OWASP leaders is to lead, not to baby-sit people,
      who download code marked as unsafe and abandoned, and install it
      in their organization's systems. <br>
      <br>
      If we abide by this rationale, then we should suppress all
      previous versions of the OWASP guides that are currently available
      for download as archives. <br>
      Most of them are incomplete, do not cover the state of the art
      knowledge we have reached today, and many of them contain advice
      that is outdated. <br>
      <br>
      regards,<br>
      Antonio<br>
      <br>
      <pre cols="72">--
OWASP Geneva Chapter
Contact: <a href="mailto:geneva@owasp.ch" target="_blank">geneva@owasp.ch</a>
Twitter: @owasp_geneva
Newsletter: <a href="https://lists.owasp.org/mailman/listinfo/owasp-geneva" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-geneva</a></pre>
      <div>On 11/25/2015 8:02 PM, johanna curiel
        curiel wrote:<br>
      </div>
      <blockquote type="cite">
        <div dir="ltr"><span style="font-size:13px">>>All they
            want is to delete the code entirely, which doesn’t make
            sense to me at all.</span><br>
          <div><span style="font-size:13px"><br>
            </span></div>
          <div>Abbas their point is, that is not responsible to leave
            this open if no one is going to document or fix. I don't
            think is responsible to leave an insecure library. And Ii
            did take the time to read the issues they mentioned. </div>
          <div><br>
          </div>
          <div> You  are the major responsible for your project, not the
            users that pin pointed the issues nor they should go and
            change when they have the opinion that the entire library
            does not serve the purpose.</div>
          <div><br>
          </div>
          <div>For people who wants to see whole thread can judge by
            themselves</div>
          <div><a href="https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690" target="_blank">https://github.com/OWASP/phpsec/issues/108#issuecomment-159699690</a><br>
          </div>
          <div><br>
          </div>
          <div>I even defend you as volunteer but I have the opinion
            that we have a responsibility towards users especially if
            you have not worked in this project for more than a year and
            have no time to fix issues in a security library.</div>
          <div><br>
          </div>
          <div>Even Sven who was a contributor in this project accepted
            that this library does not achieve its purpose and should
            not be available to users, is just not responsible.</div>
          <div><br>
          </div>
          <div>Sometimes we need to kill our darlings...</div>
          <div><br>
          </div>
          <div>Btw I'm just a contributor as you are.</div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div>Regards</div>
          <div><br>
          </div>
          <div>Johanna</div>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Wed, Nov 25, 2015 at 2:47 PM,
            Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div style="word-wrap:break-word">I’m perfectly fine with
                criticising and QAing projects.
                <div><br>
                </div>
                <div>What I’m not fine with, is reading some blogs or
                  posts somewhere, without verifying their validity, and
                  then putting the blame on our contributors without
                  proper investigation.</div>
                <div><br>
                </div>
                <div>This is not how we defend and motivate our
                  community. </div>
                <div><br>
                </div>
                <div>Plus, the only solution for a “broken library” is
                  either to fix it, or to announce it as broken. These
                  gentlemen insisting on removing the library sounds
                  like trolling to me. They even refuse to add a README
                  file to the Github repo which clearly states that </div>
                <div>this project is inactive and insecure. All they
                  want is to delete the code entirely, which doesn’t
                  make sense to me at all.</div>
                <div><br>
                </div>
                <div>I’m unhappy with your post, because you say “they
                  have valid points” without properly investgating. They
                  think they didn’t make progress by trolling on Github,
                  and now are using you to reflect this issue on the
                  leaders list. You could’ve contacted me first and
                  asked about this before going public with it. I’m very
                  unhappy with the process you have taken for this,
                  undermining a contributor completely. </div>
                <div><br>
                </div>
                <div>Regards</div>
                <span><font color="#888888">
                    </font><div><font color="#888888">-Abbas</font></div>
                  </span>
                <div>
                  <div>
                    <div><br>
                    </div>
                    <div><br>
                      <div>
                        <blockquote type="cite">
                          <div>On Nov 25, 2015, at 1:44 PM, johanna
                            curiel curiel <<a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>>

                            wrote:</div>
                          <br>
                          <div>
                            <div dir="ltr">>>If you’d want to keep
                              your “users” happy and your “contributors”
                              unhappy, you should think of a
                              commercial organisation instead of an open
                              one.<br>
                              <div><span style="font-size:13px"><br>
                                </span></div>
                              <div>I think this is a very difficult
                                balance to do. I understand from your
                                pov as contributor but fact is, OWASP
                                has also a reputation of being 'secure'
                                so probably the expectations are higher
                                because we preach security. </div>
                              <div><br>
                              </div>
                              <div>Look ,I volunteer too but my
                                proposals get questioned and criticised
                                 in a way that it feels to me  like I've
                                been questioned as an employee and not a
                                volunteer, but in a certain way, if you
                                look deeply, people questioning my
                                proposals wants to achieve goals that
                                are aligned with OWASP mission. And that
                                means I have to work harder to present
                                my arguments. Not because the effort is
                                'volunteered' means it does not hold
                                certain responsabilities.</div>
                              <div><br>
                              </div>
                              <div>Let  me ask you: Has this project
                                ever been tested to verify how well it
                                works or not? Most projects at OWASP
                                does not have any form of QA. Security
                                libraries hold more responsibility in
                                this case.</div>
                              <div><br>
                              </div>
                              <div>This is a security library and if it
                                contains security issues then this is a
                                problem. This does not align with the
                                mission, even if a lot of work was put
                                to create this project.</div>
                              <div><br>
                              </div>
                              <div>I don't think they are trolling you.
                                They have valid points and their
                                complain is that it is not responsible
                                to leave this library to be used if it
                                holds these issues or are not properly
                                explained. And is not only the crypto
                                issue.</div>
                              <div><br>
                              </div>
                              <div>Regards</div>
                              <div><br>
                              </div>
                              <div>Johanna</div>
                            </div>
                            <div class="gmail_extra"><br>
                              <div class="gmail_quote">On Wed, Nov 25,
                                2015 at 2:28 PM, Abbas Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank"></a><a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span>
                                wrote:<br>
                                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                  <div style="word-wrap:break-word">I
                                    agree with all of that.
                                    <div><br>
                                    </div>
                                    <div>This is an open source project.
                                      If they find issues, specially
                                      tiny issues that can be fixed with
                                      a few lines of code,</div>
                                    <div>they are welcome to do so. That
                                      is not grounds for deleting a
                                      project.</div>
                                    <div><br>
                                    </div>
                                    <div>The way I see it, is that they
                                      are trolling, and not helping. I
                                      have not created this library, and
                                      I’m only defending it because it
                                      is the right thing to do.</div>
                                    <div>If you’d want to keep your
                                      “users” happy and your
                                      “contributors” unhappy, you should
                                      think of a commercial organization
                                      instead of an open one.</div>
                                    <div><br>
                                    </div>
                                    <div>Regards</div>
                                    <span><font color="#888888">
                                        </font><div><font color="#888888">-Abbas</font></div>
                                      </span>
                                    <div>
                                      <div>
                                        <div><br>
                                          <div>
                                            <blockquote type="cite">
                                              <div>On Nov 25, 2015, at
                                                1:25 PM, johanna curiel
                                                curiel <<a href="mailto:johanna.curiel@owasp.org" target="_blank"></a><a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>>

                                                wrote:</div>
                                              <br>
                                              <div>
                                                <div dir="ltr">Abbas
                                                  <div><br>
                                                  </div>
                                                  <div>I think they made
                                                    very strong points
                                                    and the project is
                                                    right now inactive
                                                    since it has not
                                                    been updated in more
                                                    than a year.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>The people
                                                    commenting on your
                                                    project have
                                                    themselves quite
                                                    reputation too.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>I think if these
                                                    issues cannot be
                                                    fixed by you since
                                                    you are the leader
                                                    and since the
                                                    project is inactive,
                                                    the best is to warn
                                                    users.</div>
                                                  <div>Sven who was a
                                                    contributor also
                                                    acknowledge the
                                                    issues.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>By the way , from
                                                    complains of
                                                    multiple PHP
                                                    developers in the
                                                    github page of the
                                                    project to now
                                                    twitter means they
                                                    are not happy and
                                                    they are trying to
                                                    escalate their
                                                    concerns.Thats how I
                                                    see this.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>regards</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Johanna</div>
                                                </div>
                                                <div class="gmail_extra"><br>
                                                  <div class="gmail_quote">On

                                                    Wed, Nov 25, 2015 at
                                                    2:20 PM, Abbas
                                                    Naderi <span dir="ltr"><<a href="mailto:abiusx@owasp.org" target="_blank"></a><a href="mailto:abiusx@owasp.org" target="_blank">abiusx@owasp.org</a>></span>
                                                    wrote:<br>
                                                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                      <div style="word-wrap:break-word">They

                                                        are trying to
                                                        troll the
                                                        project.
                                                        <div>Read the
                                                          thread at <a href="https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446" target="_blank"></a><a href="https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446" target="_blank">https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446</a> to

                                                          realize that.</div>
                                                        <div>We have
                                                          provided ample
                                                          opportunity
                                                          for them to
                                                          contribute,
                                                          fix, or help
                                                          the project.</div>
                                                        <div>All they
                                                          want is to
                                                          take the
                                                          project down,
                                                          which I
                                                          obviously
                                                          refuse.</div>
                                                        <div><br>
                                                        </div>
                                                        <div>I don’t
                                                          think it
                                                          really hurts
                                                          OWASP
                                                          reputation. If
                                                          anyone delves
                                                          into the
                                                          technical
                                                          discussions
                                                          that would be
                                                          apparent.</div>
                                                        <div>Regards</div>
                                                        <span><font color="#888888">
                                                          </font><div><font color="#888888">-Abbas</font></div>
                                                          </span>
                                                        <div>
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <blockquote type="cite">
                                                          <div>On Nov
                                                          25, 2015, at
                                                          1:17 PM,
                                                          johanna curiel
                                                          curiel <<a href="mailto:johanna.curiel@owasp.org" target="_blank"></a><a href="mailto:johanna.curiel@owasp.org" target="_blank">johanna.curiel@owasp.org</a>>

                                                          wrote:</div>
                                                          <br>
                                                          <div>
                                                          <div dir="ltr">Hi

                                                          Erlend
                                                          <div><br>
                                                          </div>
                                                          <div>We are
                                                          aware of the
                                                          issues and
                                                          remediation is
                                                          underway ;-)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>regards</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On

                                                          Wed, Nov 25,
                                                          2015 at 1:54
                                                          PM, Jim Manico
                                                          <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div bgcolor="#FFFFFF" text="#000000">
                                                          Yup, it's bad.<br>
                                                          <br>
                                                          Johanna Curiel
                                                          and Claudia
                                                          are leading
                                                          the charge
                                                          here. They are
                                                          in the process
                                                          of fully
                                                          removing the
                                                          project from
                                                          GitHub. As in,
                                                          right now…<br>
                                                          <br>
                                                          - Jim
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          <div>On
                                                          11/25/15 7:50
                                                          PM, <a href="mailto:erlend.oftedal@owasp.org" target="_blank"></a><a href="mailto:erlend.oftedal@owasp.org" target="_blank">erlend.oftedal@owasp.org</a>
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div style="font-family:Calibri,sans-serif;font-size:11pt">Hi<br>
                                                          <br>
                                                          See <a href="https://twitter.com/voodooKobra/status/669537889500311553" target="_blank"></a><a href="https://twitter.com/voodooKobra/status/669537889500311553" target="_blank">https://twitter.com/voodooKobra/status/669537889500311553</a>
                                                          and the link
                                                          in that
                                                          message. <br>
                                                          <br>
                                                          According to
                                                          the OWASP
                                                          website the
                                                          project is
                                                          inactive, yet
                                                          contributions
                                                          are made on
                                                          github, and
                                                          there are no
                                                          signs of the
                                                          project status
                                                          on github.<br>
                                                          The crypto
                                                          code is bad,
                                                          as voodooKobra
                                                          rightly points
                                                          out. With a
                                                          known key and
                                                          iv, this
                                                          encryption is
                                                          useless.<br>
                                                          And the code
                                                          is referenced
                                                          from
                                                          stackoverflow++.<br>
                                                          <br>
                                                          When
                                                          deactivating a
                                                          project we
                                                          need to make
                                                          sure the
                                                          deactivation
                                                          is clearly
                                                          visble on
                                                          github as
                                                          well.<br>
                                                          <br>
                                                          Best regards<br>
                                                          Erlend Oftedal<br>
                                                          OWASP Norway<br>
                                                          @webtonull</div>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank"></a><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank"></a><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank"></a><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank"></a><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                </div>
                                              </div>
                                            </blockquote>
                                          </div>
                                          <br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                              </div>
                              <br>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
        <br>
        <fieldset></fieldset>
        <br>
        <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
    <pre cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a href="https://www.owasp.org" target="_blank">https://www.owasp.org</a></pre>
  

<p style="margin-top:2.5em;margin-bottom:1em;border-bottom:1px solid #000"></p><pre><hr><br>OWASP-Leaders mailing list<br><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br></pre></blockquote></div></blockquote></div></div><br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div>