-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github.com/zmap/zcrypto #1284
Comments
https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173 Doing a quick search through the code shows it's only used in one place and it's only used for linting. |
Although it is one line it is still dependency which does not allow us to pass corporate security and use GoLang package
…Sent from my iPhone
On Jun 9, 2023, at 12:40 AM, Beau Hoyt ***@***.***> wrote:
https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173
Doing a quick search through the code shows it's only used in one place and it's only used for linting.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you authored the thread.
|
zcrypto is required because it's needed for zlint, which is a very popular tool used by practically every CA: https://github.com/zmap/zlint#zlint-usersintegrations - in other words I don't think that notice should be taken at face value - https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code here's example of Let's Encrypt importing zcrypto - I think you could gather some other good evidence to prove this library's usecase to your security team :) |
Security team does not allow us to add into our dependency any libraries
which has such notice: Danger and Experimental and should not be used on
production.
*ZCrypto package has the follow definition in *
https://github.com/zmap/zcrypto
*:*[image: Danger: Experimental]
<https://camo.githubusercontent.com/275bc882f21b154b5537b9c123a171a30de9e6aa/68747470733a2f2f7261772e6769746875622e636f6d2f63727970746f7370686572652f63727970746f7370686572652f6d61737465722f696d616765732f6578706572696d656e74616c2e706e67>
*ZCrypto is a research library, designed to be used for data collection and
analysis, as well as experimenting and prototyping. It should not be used
to provide security for production systems.*
Please use different dependencies to resolve your technical requirements
otherwise you are breaking security concerns.
We cannot change or challenge security guidelines.
The Security Architecture team has rejected our business approval request
to use this open source library
*. *
…On Thu, Jun 29, 2023 at 1:33 PM Nicky Semenza ***@***.***> wrote:
zcrypto is required because it's needed for zlint, which is a very popular
tool used by practically every CA:
https://github.com/zmap/zlint#zlint-usersintegrations - in other words I
don't think that notice should be taken at face value -
https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code
here's example of Let's Encrypt importing zcrypto - I think you could
gather some other good evidence to prove this library's usecase to your
security team :)
—
Reply to this email directly, view it on GitHub
<#1284 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEW3G6I6JQPUTG6ST66SXTTXNXRC3ANCNFSM6AAAAAAXDR2DPA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Hello,
cloudflare/cfssl has direct dependency from github.com/zmap/zcrypto. The package becomes our service 4th dependency.
The github.com/zmap/zcrypto Readme file specifies :
"ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems."
We cannot use in production package which is marked by developer as dangerous and experimental .
The is possible to exclude github.com/zmap/zcrypto from dependency ? Could it be optional and driven by configuration?
The text was updated successfully, but these errors were encountered: