[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
paul.hoffman at gmail.com
Mon Jan 3 10:40:18 CST 2011
On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx <zooko at zooko.com> wrote:
> We need to decide what to do when we find flaws in PyCrypto which
> would expose a user who relies on PyCrypto to harm.
> It wouldn't hurt to send an announcement email in some consistent
> format saying something like "security advisory" in the subject line,
> and to update the download page or a NEWS page or whatever to warn
> about the insecure Elgamal implementation.
> Perhaps also delete, comment-out, or disable the Elgamal
> implementation and ship a new release of PyCrypto.
> It really makes me uncomfortable to see the PyCrypto project ship
> software to users which claims on the label that they can rely on it
> when we know that if they do, they may be exposed to harm.
+1 to commenting out or disabling things which anyone has serious
security concerns over.
More information about the pycrypto