blob: 03bab58909e761c4b8f4add4de0ef431f3af46d1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%20on%0A%20Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To=">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="000372.html">
<LINK REL="Next" HREF="000370.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?</H1>
<B>Zooko O'Whielacronx</B>
<A HREF="mailto:pycrypto%40lists.dlitz.net?Subject=%5Bpycrypto%5D%20how%20to%20handle%20known%20security%20holes%20Re%3A%20Comments%20on%0A%20Elgamal%2C%20and%20a%20broader%20question%3A%20Whither%20pycrypto%3F&In-Reply-To="
TITLE="[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?">zooko at zooko.com
</A><BR>
<I>Mon Jan 3 09:15:21 CST 2011</I>
<P><UL>
<LI>Previous message: <A HREF="000372.html">[pycrypto] pycryptopp alternative
</A></li>
<LI>Next message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#369">[ date ]</a>
<a href="thread.html#369">[ thread ]</a>
<a href="subject.html#369">[ subject ]</a>
<a href="author.html#369">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>Folks:
We need to decide what to do when we find flaws in PyCrypto which
would expose a user who relies on PyCrypto to harm.
It wouldn't hurt to send an announcement email in some consistent
format saying something like "security advisory" in the subject line,
and to update the download page or a NEWS page or whatever to warn
about the insecure Elgamal implementation.
Perhaps also delete, comment-out, or disable the Elgamal
implementation and ship a new release of PyCrypto.
It really makes me uncomfortable to see the PyCrypto project ship
software to users which claims on the label that they can rely on it
when we know that if they do, they may be exposed to harm.
Regards,
Zooko
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="000372.html">[pycrypto] pycryptopp alternative
</A></li>
<LI>Next message: <A HREF="000370.html">[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#369">[ date ]</a>
<a href="thread.html#369">[ thread ]</a>
<a href="subject.html#369">[ subject ]</a>
<a href="author.html#369">[ author ]</a>
</LI>
</UL>
<hr>
<a href="http://lists.dlitz.net/cgi-bin/mailman/listinfo/pycrypto">More information about the pycrypto
mailing list</a><br>
</body></html>
|
