1 files changed, 77 insertions, 0 deletions

diff --git a/pipermail/pycrypto/2011q1/000369.html b/pipermail/pycrypto/2011q1/000369.html
new file mode 100644
index 0000000..03bab58
--- /dev/null
+++ b/pipermail/pycrypto/2011q1/000369.html
@@ -0,0 +1,77 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%20on%0A%20Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To=">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="000372.html">
+   <LINK REL="Next"  HREF="000370.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?</H1>
+    <B>Zooko O'Whielacronx</B> 
+    <A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%20on%0A%20Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To="
+       TITLE="[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?">zooko at zooko.com
+       </A><BR>
+    <I>Mon Jan  3 09:15:21 CST 2011</I>
+    <P><UL>
+        <LI>Previous message: <A HREF="000372.html">[pycrypto] pycryptopp alternative
+</A></li>
+        <LI>Next message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#369">[ date ]</a>
+              <a href="thread.html#369">[ thread ]</a>
+              <a href="subject.html#369">[ subject ]</a>
+              <a href="author.html#369">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>Folks:
+
+We need to decide what to do when we find flaws in PyCrypto which
+would expose a user who relies on PyCrypto to harm.
+
+It wouldn't hurt to send an announcement email in some consistent
+format saying something like &quot;security advisory&quot; in the subject line,
+and to update the download page or a NEWS page or whatever to warn
+about the insecure Elgamal implementation.
+
+Perhaps also delete, comment-out, or disable the Elgamal
+implementation and ship a new release of PyCrypto.
+
+It really makes me uncomfortable to see the PyCrypto project ship
+software to users which claims on the label that they can rely on it
+when we know that if they do, they may be exposed to harm.
+
+Regards,
+
+Zooko
+</PRE>
+
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message: <A HREF="000372.html">[pycrypto] pycryptopp alternative
+</A></li>
+	<LI>Next message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#369">[ date ]</a>
+              <a href="thread.html#369">[ thread ]</a>
+              <a href="subject.html#369">[ subject ]</a>
+              <a href="author.html#369">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto
+mailing list</a><br>
+</body></html>