On Monday, June 3, 2019 at 6:05:20 AM UTC-4, Jeffrey Walton wrote: > > Hi Everyone, > > We started running Crypto++ through https://lgtm.com, which provides > security related recommendations. We're seeing some old warnings like: > DERGeneralEncoder is signature-compatible with a copy constructor when its > default arguments are taken into account... > I think that was a design choice by Wei early in the library. I think the > complaint is mostly style, but I don't like that it is getting in the way > of a quick-and-dirty security evaluation. That's a recipe for bug reports, > mailing list messages and failed audits. > > My question is, should we clear them? >
We moved forward with clearing the findings so they would not creep into someone's security evaluation of the library. Also see https://github.com/weidai11/cryptopp/commit/a6440086792 . We ran cryptest-symbols.sh on the change, and it does not appear symbols went missing. I think we should be OK to stay the course with a minor version bump. Jeff -- You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/2fdf2802-2e8f-49c5-8dcb-f59ae8fd607f%40googlegroups.com.
