[rurcliped]

a recent audit claims the author "doesn't have enough resources to address" security issues: https://www.openwall.com/lists/oss-security/2023/09/08/2 https://github.com/schollz/croc/issues/594 etc.

[hn_throwaway_99]

I appreciated the links to the audit, but your quote was misleading to me when taken out of context like you did. I interpreted it as basically saying that the author couldn't or wouldn't address the issues identified. The full quote was:

> The upstream author doesn't have enough resources to address them on its own and wants to develop fixes in the open. Therefore I have created GitHub issues in the upstream project and publish the full report today.

I.e. the "and wants to develop fixes in the open" part left me with a very different interpretation from when I first read your comment.

[qrv3w]

These issues are pretty recent. I would greatly appreciate sponsorship to address issues faster: https://github.com/sponsors/schollz or just help with PRs.

[AequitasOmnibus]

Just wanted to say that Croc is one of the most reliable and straightforward file transfer tools I’ve ever used. It worked so well that I used it for Android (via Termux) to Windows transfers regularly. I only wish there was a way to use it on iOS but I imagine that’s challenging.

[qrv3w]

Thanks for the kindness :) I use it the same way actually! I don't use any Apple products so that's the major roadblock for me to develop against iOS...

[aborsy]

There was a deadly security flaw two years ago, that required a protocol breaking fix (done within a week I believe):

https://redrocket.club/posts/croc/

But audits finding vulnerabilities are better than no audit and no known flaw.

Do these tools have iOS apps?

[fmajid]

My CVE feed just had a raft on croc:

https://nvd.nist.gov/vuln/detail/CVE-2023-43616

https://nvd.nist.gov/vuln/detail/CVE-2023-43617

https://nvd.nist.gov/vuln/detail/CVE-2023-43618

https://nvd.nist.gov/vuln/detail/CVE-2023-43619

https://nvd.nist.gov/vuln/detail/CVE-2023-43620

https://nvd.nist.gov/vuln/detail/CVE-2023-43621

I will stick with wormhole-william, thank you very much.

[mrintegrity]

Perhaps you missed this https://news.ycombinator.com/item?id=37608110 but it has given me fresh, sceptical, eyes with which to read cve reports.

[fmajid]

Yes, I subscribe to Daniel Stenberg's RSS feed and have seen his many articles bemoaning excessive classification of bugs as vulnerabilities. One of these bugs, however, show serious cryptographic deficiencies. Unfortunately there are a lot of cryptography amateurs making stuff without a proper understanding ond making grandiose claims, so my default stance is one of skepticism unless reputable cryptographers have looked at it.

I use wormhole-william, the Go version of the Python magic wormhole, and age, mostly because of this Latacora endorsement:

https://www.latacora.com/blog/2019/07/16/the-pgp-problem/