[tobias2014]

In a sense it is good when people actually check opensource software for security vulnerabilities, and these get fixed, no? There would only be reason of concern if a project shows overall continued sloppiness, but I'm not aware of that for croc. Correct me if I'm wrong.

[exadeci]

They seem to be sloppy: >The only thing I know about croc is that they misread a SPAKE2 description and it was very broken (https://github.com/schollz/pake/commit/04729caa1862a96ce3aef...) while also not knowing how long private keys should be