I reviewed python-ecdsa version 0.11-1 as checked into utopic. This should not be considered a full security audit; no effort has been made to verify that this library is free from timing leaks, information leaks, nor cryptographically relevant implementation flaws. Anyone interested in relying upon this library would be wise to consult with a professional cryptographer to determine suitability for purpose.
Because the codebase is short and sweet, I'll skip the more exhaustive checklist. This library doesn't daemonize, doesn't do networking, doesn't provide exotic interfaces. It just does DER and ECC. The code looks clean and careful, parameters are checked for validity, there are copious references to authoritative sources to find algorithms, enough test vectors to have confidence in simple uses of the library, and the scope of the project is small enough that it is unlikely to need drastic work. With a quick re-iteration that there are many different kinds of implementation flaws that are fatal to cryptographic libraries that are well beyond the scope of a quick review, the code looks straightforward. Security team ACK for promoting python-ecdsa to main. ** Changed in: python-ecdsa (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1336783 Title: [MIR] python-ecdsa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-ecdsa/+bug/1336783/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs