[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?

Zooko O'Whielacronx zooko at zooko.com
Mon Jan 3 09:15:21 CST 2011


We need to decide what to do when we find flaws in PyCrypto which
would expose a user who relies on PyCrypto to harm.

It wouldn't hurt to send an announcement email in some consistent
format saying something like "security advisory" in the subject line,
and to update the download page or a NEWS page or whatever to warn
about the insecure Elgamal implementation.

Perhaps also delete, comment-out, or disable the Elgamal
implementation and ship a new release of PyCrypto.

It really makes me uncomfortable to see the PyCrypto project ship
software to users which claims on the label that they can rely on it
when we know that if they do, they may be exposed to harm.



More information about the pycrypto mailing list