Open begemot63 opened 1 year ago
beauhoyt
commented
1 year ago https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173
Doing a quick search through the code shows it's only used in one place and it's only used for linting.
begemot63
commented
1 year ago Although it is one line it is still dependency which does not allow us to pass corporate security and use GoLang package
Sent from my iPhone
On Jun 9, 2023, at 12:40 AM, Beau Hoyt @.***> wrote:
https://github.com/cloudflare/cfssl/blob/master/signer/local/local.go#L173
Doing a quick search through the code shows it's only used in one place and it's only used for linting.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.
nickysemenza
commented
1 year ago zcrypto is required because it's needed for zlint, which is a very popular tool used by practically every CA: https://github.com/zmap/zlint#zlint-usersintegrations - in other words I don't think that notice should be taken at face value - https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code here's example of Let's Encrypt importing zcrypto - I think you could gather some other good evidence to prove this library's usecase to your security team :)
begemot63
commented
1 year ago Security team does not allow us to add into our dependency any libraries which has such notice: Danger and Experimental and should not be used on production.
ZCrypto package has the follow definition in https://github.com/zmap/zcrypto :[image: Danger: Experimental] https://camo.githubusercontent.com/275bc882f21b154b5537b9c123a171a30de9e6aa/68747470733a2f2f7261772e6769746875622e636f6d2f63727970746f7370686572652f63727970746f7370686572652f6d61737465722f696d616765732f6578706572696d656e74616c2e706e67
ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems.
Please use different dependencies to resolve your technical requirements otherwise you are breaking security concerns. We cannot change or challenge security guidelines. The Security Architecture team has rejected our business approval request to use this open source library .
On Thu, Jun 29, 2023 at 1:33 PM Nicky Semenza @.***> wrote:
zcrypto is required because it's needed for zlint, which is a very popular tool used by practically every CA: https://github.com/zmap/zlint#zlint-usersintegrations - in other words I don't think that notice should be taken at face value - https://github.com/search?q=repo%3Aletsencrypt%2Fboulder%20zcrypto&type=code here's example of Let's Encrypt importing zcrypto - I think you could gather some other good evidence to prove this library's usecase to your security team :)
— Reply to this email directly, view it on GitHub https://github.com/cloudflare/cfssl/issues/1284#issuecomment-1613775640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEW3G6I6JQPUTG6ST66SXTTXNXRC3ANCNFSM6AAAAAAXDR2DPA . You are receiving this because you authored the thread.Message ID: @.***>
Hello, cloudflare/cfssl has direct dependency from github.com/zmap/zcrypto. The package becomes our service 4th dependency. The github.com/zmap/zcrypto Readme file specifies : "ZCrypto is a research library, designed to be used for data collection and analysis, as well as experimenting and prototyping. It should not be used to provide security for production systems." We cannot use in production package which is marked by developer as dangerous and experimental . The is possible to exclude github.com/zmap/zcrypto from dependency ? Could it be optional and driven by configuration?