Secure Coding mailing list archives
Re: security in open source components
From: Jeffrey Walton <noloader () gmail com>
Date: Thu, 26 Apr 2012 07:40:58 -0400
On Tue, Apr 24, 2012 at 4:22 PM, Johan Peeters <yo () secappdev org> wrote:
I was very happy to see http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief. Finally some attention to the elephant in the room; what is the use of secure coding if your software depends on third party components with flaws? ... How can I be sure that the binary component my build script retrieves from, say, Maven Central is the one released by the relevant open source project? I know there are checksums and such, but I remain to be convinced that this typically affords adequate protection or that it even could do so...
The problem with Maven in particular is the project stresses stability over all others. The project is more than happy to distribute stable, but buggy, code. How Stable vs Buggy is not muttually exclusive is an oxymoron to me, though. Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L () securecoding org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
Current thread:
- security in open source components Johan Peeters (Apr 25)
- Re: security in open source components Christian Heinrich (May 04)
- Re: security in open source components Jeffrey Walton (May 04)