Re: security in open source components

[Christian Heinrich <christian.heinrich () cmlh id au>]

Johan,

Since each git commit is SHA-1 and is popular with open source
projects then it would be possible incorporate them as a "submodule"
as part of your larger superproject within git but it does have some
limitations outlined within
http://stackoverflow.com/questions/996164/is-anyone-really-using-git-super-subprojects

Let me know if this addresses your concern or if I am way off?

On Wed, Apr 25, 2012 at 6:22 AM, Johan Peeters <yo () secappdev org> wrote:
> These points are important. However, I am also concerned about
> component distribution.
> How can I be sure that the binary component my build script retrieves
> from, say, Maven Central is the one released by the relevant open
> source project? I know there are checksums and such, but I remain to
> be convinced that this typically affords adequate protection or that
> it even could do so. If my fears are well-founded, current
> distribution mechanisms of open source components provide the ideal
> opportunity for installing back-doors on the server side.
> I hope I am just being paranoid and the authors neglected to talk
> about distribution because it is obviously secure. I certainly would
> have been happier if distribution had been analysed and found secure,
> or, even, not terribly insecure.
> Does anyone else share these concerns? Or can anyone allay my fears?


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________