[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?

Dwayne C. Litzenberger dlitz at dlitz.net
Mon Jan 3 10:54:22 CST 2011


Could someone volunteer to do a quick survey of publicly available code that uses PyCrypto to see who (if anyone) is actually using Crypto.PublicKey.ElGamal?

"Paul Hoffman" <paul.hoffman at gmail.com> wrote:

>On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx <zooko at zooko.com>
>> Folks:
>> We need to decide what to do when we find flaws in PyCrypto which
>> would expose a user who relies on PyCrypto to harm.
>> It wouldn't hurt to send an announcement email in some consistent
>> format saying something like "security advisory" in the subject line,
>> and to update the download page or a NEWS page or whatever to warn
>> about the insecure Elgamal implementation.
>> Perhaps also delete, comment-out, or disable the Elgamal
>> implementation and ship a new release of PyCrypto.
>> It really makes me uncomfortable to see the PyCrypto project ship
>> software to users which claims on the label that they can rely on it
>> when we know that if they do, they may be exposed to harm.
>+1 to commenting out or disabling things which anyone has serious
>security concerns over.
>pycrypto mailing list
>pycrypto at lists.dlitz.net

Sent from my Android phone with K-9 Mail. Please excuse my brevity.

More information about the pycrypto mailing list