[pycrypto] how to handle known security holes Re: Comments on Elgamal, and a broader question: Whither pycrypto?
don at amberfisharts.com
Mon Jan 3 13:43:48 CST 2011
A quick google codesearch for "ElGamal lang:python" revealed three different package types.
The first category use pycrypto:
they bundle ezPyCrypto
site is in hungry but they seem to bundle ezPyCrypto in their snapshots
* various projects include it via googles appengine. However I don't if they actually use it.
The second category simply bundles a version of pycrypto:
seems to be based on pycrypto-2.0.1
The third category implement ElGamal themselves:
also many other github projects by the same user
Category 1 should be the most important IMHO.
Of course this list comes without warranty.
I hope this is helpful.
On 01/03/2011 05:54 PM, Dwayne C. Litzenberger wrote:
> Could someone volunteer to do a quick survey of publicly available code that uses PyCrypto to see who (if anyone) is actually using Crypto.PublicKey.ElGamal?
> "Paul Hoffman"<paul.hoffman at gmail.com> wrote:
>> On Mon, Jan 3, 2011 at 7:15 AM, Zooko O'Whielacronx<zooko at zooko.com>
>>> We need to decide what to do when we find flaws in PyCrypto which
>>> would expose a user who relies on PyCrypto to harm.
>>> It wouldn't hurt to send an announcement email in some consistent
>>> format saying something like "security advisory" in the subject line,
>>> and to update the download page or a NEWS page or whatever to warn
>>> about the insecure Elgamal implementation.
>>> Perhaps also delete, comment-out, or disable the Elgamal
>>> implementation and ship a new release of PyCrypto.
>>> It really makes me uncomfortable to see the PyCrypto project ship
>>> software to users which claims on the label that they can rely on it
>>> when we know that if they do, they may be exposed to harm.
>> +1 to commenting out or disabling things which anyone has serious
>> security concerns over.
More information about the pycrypto