Le samedi 29 février 2020, 08:55:14 CET Slawomir Jaranowski a écrit : [...] > Of course is open question how to verify maintainer and reputation of used > maven artifacts. +1
with Reproducible Builds, another layer of trust is to be able to confirm you have the sources used to produce the binary: of course, it's up to you to read and understand the sources, no magic... Regards, Hervé > > pt., 28 lut 2020 o 20:43 Manfred Moser <[email protected]> > > napisał(a): > > The order of repositories in a pom, settings and repo manager is crucial. > > Some companies use their own repos on top since they trust them the most. > > I > > have seen internal teams deploying patched version into those which then > > essentially override the real dep from central. > > > > This is a feature and is used quite often .. however it also opens the > > door for abuse on that level. > > > > With all sorts of repos out there you really have to check what you > > consume. If you consume repos that are not trustworthy or just badly > > maintained .. anything is possible including security attacks... however I > > have not seen it in practice. > > > > Overall its important that you use Central and othter trusted repos first > > and foremost.. > > > > Manfred > > > > Elliotte Rusty Harold wrote on 2020-02-28 11:01 (GMT -08:00): > > > Folks, > > > > > > A colleague is preparing a presentation on general dependency security > > > issues. I'm not aware of any compromises of the Maven repo system such > > > that a malicious actor was able to push malware to client systems, but > > > I'm not sure it's never happened. > > > > > > Does anyone know about anything like the attack on npm a couple of > > > years ago > > > < > > > > https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-t > > hreats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets> > > > that happened in the Java space? > > > > > > Even if something just went a little wonky in a way that could have > > > been used to serve malware but wasn't, that would be almost as > > > interesting. > > > > > > Of course, I'd love for the answer to be, "No, that's never happened > > > to Java, and it can't because..." I suspect we're a little more > > > resistant to these classes of attacks than npm because version ranges > > > are far less common. However, I can't think of anything that would > > > prevent someone from buying and compromising future versions of any > > > particular artifact. It's not like intelligence agencies haven't > > > bought entire companies before, > > > < > > > > https://www.washingtonpost.com/graphics/2020/world/national-security/cia-c > > rypto-encryption-machines-espionage/> > > > and most open source projects could be had for a lot less. > > > > > > -- > > > Elliotte Rusty Harold > > > [email protected] > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
