FYI... There are some concerns over my involvement with Crypto++. I contacted Wei and asked if he would like me to resign as one of the maintainers of the library. If anyone would like me to resign, please speak up now.
I'm not sure about some of the statements below, like having Denis' personal endorsement or Bitvise's endorsement. Wei was clear that he turned the library over to the community, and gave several folks check-in privileges. Jeff On Thu, Sep 26, 2019 at 3:20 PM denis bider (Bitvise) <[email protected]> wrote: > > To all who care about Crypto++, > > this is an official statement from Bitvise regarding the C++ > cryptographic library, Crypto++, which Bitvise has used for years. > > The original Crypto++ was developed by Wei Dai, a co-founder at Bitvise. > For some years now, the library has been maintained by Jeffrey Walton. > As far as I know, Jeffrey was chosen by Wei. I was not involved in the > process. > > From the start of his involvement, Jeffrey has tried to position > himself so as to imply that he has my personal endorsement and/or > support, and perhaps even Bitvise's. > > Jeffrey assumed this without asking. He did not take actions to actually > have my endorsement and/or support. He kept trying to cajole me into > taking a more active role in Crypto++ under his leadership. He put me on > a list of the project's principals without asking. > > Jeffrey's behavior caused me to initially distrust his work. Bitvise did > not upgrade to new versions of Crypto++ released by Jeffrey. We still > have not done so. We use the latest version released under Wei's > authorship. We use fixes for individual issues which I applied manually. > > Recently, a researcher discovered a timing side channel in the Crypto++ > implementation of ECDSA (CVE-2019-14318). Bitvise now primarily uses > Windows for cryptography. However, we still rely on Crypto++ in some > situations. Therefore, this is an issue for which we want a mitigation. > Jeffrey implemented a mitigation. > > Over the years, I observed Jeffrey working on Crypto++ with what > appeared to be diligence and technical sophistication. A great deal of > competence is required to implement a mitigation for a timing side > channel. The fact that he did so is impressive. > > Multiple times since 2015, I offered Jeffrey to work for Bitvise, either > as a contractor or as an employee. I judged his technical competence > would be an asset, and by working together I could gauge him to bridge > distrust. Time and again, Jeffrey was evasive. We spent time and effort > drafting agreements and discussing terms. Then, he would stop responding. > > With the recent ECDSA side channel issue, it became more important to > understand whether Jeffrey can be trusted. I decided to overlook what > appeared to be quirks and evasive behaviors. I went all-in to > accommodate him, to remove any obstacle I could possibly remove to allow > us to work together. For a brief 3 week period, Jeffrey was Bitvise's > employee. > > As you can assume, this ended in an unfortunate way. The experience was > so jarring and perplexing that my trust in Jeffrey is demolished. He > created a situation where I am left to choose between doubting his moral > integrity, or doubting his basic competence. Since he maintains Crypto++ > and implemented a timing side channel mitigation for ECDSA - among many > other things - it beggars belief to doubt his competence. As a result, > due to a number of preposterous claims, I am left in a place where I do > not trust his personal integrity. > > This experience has provided Bitvise with information regarding > Crypto++. This information is, unfortunately, negative. > > Bitvise does not trust Crypto++ under Jeffrey Walton's custodianship. We > will not upgrade to Crypto++ versions released by him. Others are free > to decide whom they trust. However, Bitvise does not vouch, and I do not > vouch, for Jeffrey or for Crypto++ under his custodianship. > > Best regards, > > denis bider, President > Bitvise Limited -- You received this message because you are subscribed to "Crypto++ Users". More information about Crypto++ and this group is available at http://www.cryptopp.com and http://groups.google.com/forum/#!forum/cryptopp-users. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/cryptopp-users/CAH8yC8%3DifXowx5maLGSrL5eAPdW5pwYU-g3AYpBuy7whVNB9pQ%40mail.gmail.com.
