Secure Coding mailing list archives
Re: security in open source components
From: Christian Heinrich <christian.heinrich () cmlh id au>
Date: Thu, 26 Apr 2012 09:22:32 +1000
Johan, Since each git commit is SHA-1 and is popular with open source projects then it would be possible incorporate them as a "submodule" as part of your larger superproject within git but it does have some limitations outlined within http://stackoverflow.com/questions/996164/is-anyone-really-using-git-super-subprojects Let me know if this addresses your concern or if I am way off? On Wed, Apr 25, 2012 at 6:22 AM, Johan Peeters <yo () secappdev org> wrote:
These points are important. However, I am also concerned about component distribution. How can I be sure that the binary component my build script retrieves from, say, Maven Central is the one released by the relevant open source project? I know there are checksums and such, but I remain to be convinced that this typically affords adequate protection or that it even could do so. If my fears are well-founded, current distribution mechanisms of open source components provide the ideal opportunity for installing back-doors on the server side. I hope I am just being paranoid and the authors neglected to talk about distribution because it is obviously secure. I certainly would have been happier if distribution had been analysed and found secure, or, even, not terribly insecure. Does anyone else share these concerns? Or can anyone allay my fears?
-- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- security in open source components Johan Peeters (Apr 25)
- Re: security in open source components Christian Heinrich (May 04)
- Re: security in open source components Jeffrey Walton (May 04)