[SC-L] security in open source components

Jeffrey Walton noloader at gmail.com
Thu Apr 26 07:40:58 EDT 2012


On Tue, Apr 24, 2012 at 4:22 PM, Johan Peeters <yo at secappdev.org> wrote:
> I was very happy to see
> http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief.
> Finally some attention to the elephant in the room; what is the use of
> secure coding if your software depends on third party components with
> flaws?
> ...
> How can I be sure that the binary component my build script retrieves
> from, say, Maven Central is the one released by the relevant open
> source project? I know there are checksums and such, but I remain to
> be convinced that this typically affords adequate protection or that
> it even could do so...
The problem with Maven in particular is the project stresses stability
over all others. The project is more than happy to distribute stable,
but buggy, code. How Stable vs Buggy is not muttually exclusive is an
oxymoron to me, though.

Jeff


More information about the SC-L mailing list