Re: security in open source components

[Jeffrey Walton <noloader () gmail com>]

On Tue, Apr 24, 2012 at 4:22 PM, Johan Peeters <yo () secappdev org> wrote:
> I was very happy to see
> http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief.
> Finally some attention to the elephant in the room; what is the use of
> secure coding if your software depends on third party components with
> flaws?
> ...
> How can I be sure that the binary component my build script retrieves
> from, say, Maven Central is the one released by the relevant open
> source project? I know there are checksums and such, but I remain to
> be convinced that this typically affords adequate protection or that
> it even could do so...
The problem with Maven in particular is the project stresses stability
over all others. The project is more than happy to distribute stable,
but buggy, code. How Stable vs Buggy is not muttually exclusive is an
oxymoron to me, though.

Jeff
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________