Mailing List Archive

When I reported some side-channel vulnerabilities Werner Koch got angry, taking it as a loss of face, and started making it difficult to get my patches accepted, by raising copyright arguments that are both incorrect and contradictory to his previous comments, where he said there would be no copyright problem.
Shawn Landden

15:37, 24 de agosto de 2020, "Qinkun Bao via Gcrypt-devel" <gcrypt-devel@gnupg.org>:

Hello,
We found some secret-dependent control-flows in the latest version of libgcrypt (1.8.6). Those leakage sites may lead to potential side-channel attacks. I was wondering if you are interested in fixing those leakages? If so, could you please share us with the way to report those side-channel leakages?
Thanks,Qinkun Bao

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel"]http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

--
Shawn Landden

On Mon, 24 Aug 2020 09:43, Shawn Landden said:
> When I reported some side-channel vulnerabilities Werner Koch got angry,
> taking it as a loss of face, and started making it difficult to get my patches
> accepted, by raising copyright arguments that are both incorrect and

I am not sure which side-channel vulnerabilities you mean here. Can you
please explain and point me to the respective mail?

I recall a debate around July 2019 on whether to include code from an
OpenSSL related project called Crytograms. I replied that the license
is not compatible with the LGPL and Jussi was kind to implement PowerPC
vector Crypto for AES on top of your pacth but without Cryptograms.

Anyway, to report security bugs, we have instructions at

gnupg.org->Documentation->Security

Should be easy enough to find. The security address as stated in each
project'ss AUTHORS file is also monitored by the core developers.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.