

Huge flaw in Ubuntu Dapper’s Python Crypto Module - st3fan
http://stefan.arentz.nl/2008/04/03/huge-flaw-in-ubuntu-dappers-python-crypto-module/

======
notauser
Crypto is a special case problem. I have a pretty good level of education
(formal and personal) but I would still avoid rolling my own solution for
anything non-trivial.

This is not so much because I expect to make a mistake, but more because of
the impossibility of getting testing (and therefore maturity) that matches an
established open source library.

For Java Script one possibility is
<http://code.google.com/p/clipperz/wiki/CryptoLibrary> (AGPL), I'd be
interested to hear of others.

------
zooko
This bug was the last straw for why I stopped using the pycrypto library and
wrote my own Python wrappers about Crypto++:

<http://allmydata.org/trac/pycryptopp>

------
marcus
Bug was found a couple of months ago, a patch is available

[https://bugs.launchpad.net/ubuntu/+source/python-
crypto/+bug...](https://bugs.launchpad.net/ubuntu/+source/python-
crypto/+bug/191683)

------
icky
Incidentally, in python 2.5 and later (probably not available in Dapper's
repo), you should use the standard hashlib module for generating hash digests.

