[kdbuck]

I think it's great that stuff like this is brought to the surface, but it also troubles me that the author makes no mention of submitting a PR to improve the _open source_ code base... They seem more content to discuss boycotting and abandonment instead.

[CiPHPerCoder]

I'm the person who published this advisory to oss-sec and a co-author of https://github.com/defuse/php-encryption

I also wrote https://github.com/paragonie/halite which is a PHP library aims to make libsodium incredibly easy for PHP developers to get right.

For systems that need asymmetric crypto and can't install libsodium, I also wrote https://github.com/paragonie/EasyRSA which side-steps a lot of the mistakes developers make. EasyRSA uses defuse for symmetric-key encryption, then encrypts the AES key with RSA.

Writing secure cryptography isn't trivial. Assuming the three projects I just linked to are secure enough to use (all indications point to: they are), there's literally no reason to reinvent the wheel solely for Magento.

Magento already uses Composer; they could just add them to their composer.json file and rewrite their routines to use defuse + maybe EasyRSA if they have a use case for it.

Zend\Crypt is also an acceptable choice, as long as you don't install the version with an RSA implementation vulnerable to padding oracle attacks. https://framework.zend.com/security/advisory/ZF2015-10

[phyzome]

It sure would be nice if the author did that, but crypto is a non-trivial amount of work to get right.

It's easy to look at one small part of a codebase and say "this is wrong", but to get it right you have to learn large chunks of the code. Be aware what level of work you are shoving onto the author in your comment.

[kdbuck]

I did aim to clarify things in one of my responses below. It wasn't my intent to suggest that the author should necessarily be the one making a PR. My main point is that contribution and improvement should be encouraged where this post leans more towards staying away from a piece of open source code altogether.

[TheRealPomax]

But keep in mind that people have plenty of time to have a look at a codebase, but often do not in any way shape or form have anywhere near enough time to actually work on that code, even to file what you might call "a simple PR". Spotting errors is a very quick job. Writing even a small PR on a codebase you do not work on, that properly passes tests (in this case crucial) as well as fuzzing (again, it's crypto, it's crucial) takes hours if not days. Sometimes, and this is one of those times, the only thing you're going to realistically get is feedback that you should act on ASAP, not code that helps you get started. And that's a critical contribution, too.

[toast42]

If it were true open source I think the project would get a lot more contributions. The enterprise edition, with the "best" features, is very much not free.

[maaarghk]

This is absolutely true. They actually have a hostile attitude towards contributions. I used to work at a Magento shop (bad times all round) and my (extremely talented) colleague would often submit patches for long-standing bugs through the ticket tracker which would never appear in general release. Tickets would go for months without responses. It's commercial software at the end of the day. With an obscene price tag on it to scam cash out of non-technical business founders.

I didn't like my magento job much :/

[njloof]

This is why we have forks.

[georgestephanis]

What fork of Magento actually gets usage?

[davidgerard]

None as far as I can tell. There's OpenMage, which accepts contributions. But the problem is that Magento Enterprise is shit, and the Community Edition is shit with the functional bits removed.

Magento is very much open-core in all practical terms.

[kdbuck]

I am willing to accept that other variables might be involved here. I still think the general message of improving OSS is an important one.

[StavrosK]

Is the author obligated to fix the broken code? If they aren't willing to fix it, would you prefer they said nothing and left everyone using insecure crypto?

[kdbuck]

Definitely not. That's why I said it I think it's great that this stuff is brought to the surface. I can see how what I wrote isn't entirely clear though. What I am trying to say is that it would be nice if the message also aimed at encouraging contribution to open source software as well. It seems healthier to OSS as a whole to encourage improvement rather than abandonment.

[aioprisan]

There is simply no way that realistically a third party contributor will rewrite a core part of a platform product for a company that generally does not accept such work, and has an enterprise version of the software that really gets all the goodies instead, which is where their focus is.

[StavrosK]

Oh, yes, I agree with you. My sibling comment seems to suggest that Magento isn't actually OSS, so maybe that's the reason?

[kdbuck]

It definitely is open source insofar as it being a public repository that accepts contributions. However, the disclaimer at the top of the repo does seem to suggest that free offerings might be scooped up and put to other uses... I can see where the degree of "open sourceness" might be questioned in a case like this. I will re-iterate that I am willing to accept that there might be other politics at play here.

[StavrosK]

Open source has a specific definition, though. I think what Magento does is called "source available" or similar.

[rhizome]

Like showing up one day with a PR saying "Hey guys, I rewrote some of your core functionality. Tests pass!" ...I'm not sure it would be that simple.

[kdbuck]

I'm not certain that one would necessarily need/want to take a another stab a "rewriting" core code here. If they are leaning on an interface, which it appears as such (EncryptorInterface), and have managed to avoid implicit coupling etc, it might be possible to swap out the implementation with something else. Maybe one of the other libs that have been recommended in this thread.

[madaxe_again]

Magento is a for profit platform owned by eBay. He's already donated them enough of his time. It is open sores, not open source, although it's easy to confuse the two!

[tkjef]

Magento was sold from eBay to Permira late last year.

https://magento.com/company/press-room/press-releases/magent...