On Fri, 14 Jan 2022 at 20:38, Stefan Herbrechtsmeier < [email protected]> wrote:
> > Do you really thing YP should switch to a distributed approach? Doesn't > Log4Shell, 'colors' and 'faker' shows the disadvantages of this approach? > Once again, the world has decided that bundling dependencies is the way to build software. That ship has sailed, and we simply don't have the manpower or the influence to change this. What would help is support in the tools for a manifest which would - protect you from rogue upstreams by locking down and locally caching source trees - generate a useful SBOM that will tell exactly where log4j is being pulled in, and at which version, should another critical vulnerability hit. The recipe meanwhile would be simple, short and sweet: it only needs the checksum for the source tree and a checksum for the licensing, and we would put the trust into the upstream tooling that it correctly verifies the checksums. Like we already do by trusting git provided by the build host for instance. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1422): https://lists.openembedded.org/g/openembedded-architecture/message/1422 Mute This Topic: https://lists.openembedded.org/mt/88417908/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
