[FiloSottile]

Well, I (and most security and cryptography experts I discussed this with) disagree, and I don’t think we’re going to find a canonical source for what the warning is supposed to mean.

Its broader version that includes protocols and formats easily applies here (although is also arguably defeated because it didn’t stop this project from being published without caveats and making it to the HN front page).

We had a discussion about this with tptacek on his podcast. https://securitycryptographywhatever.buzzsprout.com/1822302/...

[tialaramex]

I should probably listen to that podcast, but to me the "It's gatekeeping" thing is entirely annulled by experiences like this HN post. If I went a few years without seeing people ignorantly doing this I would re-think my stance, but I don't think I ever go more than a few months and I'm not paying that close attention.

I feel like it belongs in the same category as "Don't eat wild mushrooms". I know some people who are really interested in fungi and they definitely don't see this as gatekeeping, they see it as fewer dead people. Bad cryptography is less immediately deadly than eating the wrong mushroom, but on the other hand even tremendous incompetence (e.g. feed housemates delicious mushroom soup you made, oops that was poison, they're all hospitalised) has narrower consequences than for software which can trivially be spread to millions of people.

I wrote some crypto example software as a demo for an acquaintance (I was going to write "friend", but given subsequent events lets go with "acquaintance") last century, and I made sure to cover it in "Not for production use" warnings, but how sure can I ever be that the warnings were still on it when anybody else saw it ? Perhaps I should rather have said "No".