On Fri, Sep 6, 2013 at 8:03 AM, Tom O <[email protected]> wrote: > Posting a news article without context or response from Veracode is weak.
That was just a reminder for a topic that has already been discussed on this list. My main intention was to provide an example (in the form of a post similar to yours) for Jonathan Wilkes' remark wrt. affected reputation. > Chris Wysopal stated the static crypto checks were run to check if the API's > were implemented correctly, not implementation of custom keygen. I am sure there are after-the-fact excuses. Since you didn't provide a reference, I assume that this specific excuse if not something worthy of attention. Veracode's report is here, if you are interested: https://blog.crypto.cat/wp-content/uploads/2013/02/Cryptocat_Attestation_Veracode_20130222_final.pdf Looking at the code is indeed not mentioned in the report, so it's all fine, I guess — just make sure something like that is in the next contract. -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
