github.com/zmap/zcrypto

[begemot63]

Hello,
cloudflare/cfssl has direct dependency from github.com/zmap/zcrypto. The package becomes our service 4th dependency.
The github.com/zmap/zcrypto Readme file specifies :
"ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems."
We cannot use in production package which is marked by developer as dangerous and experimental .
The is possible to exclude github.com/zmap/zcrypto from dependency ? Could it be optional and driven by configuration?

[beauhoyt]

https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173

Doing a quick search through the code shows it's only used in one place and it's only used for linting.

[begemot63]

Although it is one line it is still dependency which does not allow us to pass corporate security and use GoLang package

…

Sent from my iPhone

On Jun 9, 2023, at 12:40 AM, Beau Hoyt ***@***.***> wrote:  https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173 Doing a quick search through the code shows it's only used in one place and it's only used for linting. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

[nickysemenza]

zcrypto is required because it's needed for zlint, which is a very popular tool used by practically every CA: https://github.com/zmap/zlint#zlint-usersintegrations - in other words I don't think that notice should be taken at face value - https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code here's example of Let's Encrypt importing zcrypto - I think you could gather some other good evidence to prove this library's usecase to your security team :)

[begemot63]

Security team does not allow us to add into our dependency any libraries which has such notice: Danger and Experimental and should not be used on production. *ZCrypto package has the follow definition in * https://github.com/zmap/zcrypto *:*[image: Danger: Experimental] <https://camo.githubusercontent.com/275bc882f21b154b5537b9c123a171a30de9e6aa/68747470733a2f2f7261772e6769746875622e636f6d2f63727970746f7370686572652f63727970746f7370686572652f6d61737465722f696d616765732f6578706572696d656e74616c2e706e67> *ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems.* Please use different dependencies to resolve your technical requirements otherwise you are breaking security concerns. We cannot change or challenge security guidelines. The Security Architecture team has rejected our business approval request to use this open source library *. *

…

On Thu, Jun 29, 2023 at 1:33 PM Nicky Semenza ***@***.***> wrote: zcrypto is required because it's needed for zlint, which is a very popular tool used by practically every CA: https://github.com/zmap/zlint#zlint-usersintegrations - in other words I don't think that notice should be taken at face value - https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code here's example of Let's Encrypt importing zcrypto - I think you could gather some other good evidence to prove this library's usecase to your security team :) — Reply to this email directly, view it on GitHub <#1284 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEW3G6I6JQPUTG6ST66SXTTXNXRC3ANCNFSM6AAAAAAXDR2DPA> . You are receiving this because you authored the thread.Message ID: ***@***.***>