Re: [sqlite] Vetting SQLite

[Olivier Mascia]

> Le 6 févr. 2018 à 00:30, Simon Slavin  a écrit :
> 
>> You know that every copy of Windows comes with SQLite preinstalled,
>> right?  C:\Windows\System32\winsqlite3.dll
> 
> And SQLite is used internally in several parts of Microsoft Office.  For 
> example, Outlook's database in Mac Office 365 is a SQLite database[1].

Visual Studio 2017 (it started with Visual Studio 2015 and was an opt-in with 
the next before release) uses it too. Have a look in the (hidden-attributed) 
folder .vs where you have .sln files...

-- 
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia


___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[J Decker]

On Mon, Feb 5, 2018 at 5:04 PM, Richard Hipp  wrote:

> On 2/5/18, Stephen Chrzanowski  wrote:
> > I was surprised to see that statement, so, checking my system, this isn't
> > true.  Win7Pro-x64.
>
> It's on Windows10.
>

M:\>dir c:\windows\SysWOW64\*sqlite*
 Volume in drive C is OS
 Volume Serial Number is F27E-3A0D

 Directory of c:\windows\SysWOW64

09/29/2017  05:42 AM   592,384 winsqlite3.dll



Version 3.19.3


> --
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Simon Slavin]

On 6 Feb 2018, at 12:56am, J. King  wrote:

> I believe it's only since Windows 8.

Seems likely.  SQLite has been part of the Windows SDK since Windows 10 
Anniversary Update [1], some time around August 2016.  I find it plausible that 
SQLite was in Windows 8 but not in Windows 7.

By the way, the Sticky Notes App included with Windows 10 keeps its data in a 
SQLite database.

Simon.

Cite:
[1] 

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Richard Hipp]

On 2/5/18, Stephen Chrzanowski  wrote:
> I was surprised to see that statement, so, checking my system, this isn't
> true.  Win7Pro-x64.

It's on Windows10.
-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[J. King]

I believe it's only since Windows 8. 

On February 5, 2018 7:51:39 PM EST, Stephen Chrzanowski  
wrote:
>I was surprised to see that statement, so, checking my system, this
>isn't
>true.  Win7Pro-x64.  Not with that filename anyways.  Searching my
>system
>with the "Everything" tool, [ *sqlite3.exe ] comes up with DLLs that
>I've
>touched only.  The DLL's I've dumped into the Windows directories exist
>in
>c:\Windows\SysWOW64 only because c:\Windows\System32 is redirected
>there.
>On my system, there is only one sqlite3.dll with a timestamp of Aug 11,
>2016, and is version 3.14.1.0 according to the Details tab.
>
>
>On Mon, Feb 5, 2018 at 6:02 PM, Richard Hipp  wrote:
>
>> On 2/5/18, Drago, William @ CSG - NARDA-MITEQ 
>> wrote:
>> >
>> > Most of the software we use here, Microsoft and other well-known
>and
>> > paid-for products,
>>
>> You know that every copy of Windows comes with SQLite preinstalled,
>> right?  C:\Windows\System32\winsqlite3.dll
>> --
>> D. Richard Hipp
>> d...@sqlite.org
>> ___
>> sqlite-users mailing list
>> sqlite-users@mailinglists.sqlite.org
>> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>>
>___
>sqlite-users mailing list
>sqlite-users@mailinglists.sqlite.org
>http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Stephen Chrzanowski]

I was surprised to see that statement, so, checking my system, this isn't
true.  Win7Pro-x64.  Not with that filename anyways.  Searching my system
with the "Everything" tool, [ *sqlite3.exe ] comes up with DLLs that I've
touched only.  The DLL's I've dumped into the Windows directories exist in
c:\Windows\SysWOW64 only because c:\Windows\System32 is redirected there.
On my system, there is only one sqlite3.dll with a timestamp of Aug 11,
2016, and is version 3.14.1.0 according to the Details tab.


On Mon, Feb 5, 2018 at 6:02 PM, Richard Hipp  wrote:

> On 2/5/18, Drago, William @ CSG - NARDA-MITEQ 
> wrote:
> >
> > Most of the software we use here, Microsoft and other well-known and
> > paid-for products,
>
> You know that every copy of Windows comes with SQLite preinstalled,
> right?  C:\Windows\System32\winsqlite3.dll
> --
> D. Richard Hipp
> d...@sqlite.org
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Simon Slavin]

On 5 Feb 2018, at 11:02pm, Richard Hipp  wrote:

> On 2/5/18, Drago, William @ CSG - NARDA-MITEQ  wrote:
>> 
>> Most of the software we use here, Microsoft and other well-known and
>> paid-for products,
> 
> You know that every copy of Windows comes with SQLite preinstalled,
> right?  C:\Windows\System32\winsqlite3.dll

And SQLite is used internally in several parts of Microsoft Office.  For 
example, Outlook's database in Mac Office 365 is a SQLite database[1].  So if 
corporate have okayed the use of Office they've okayed a use (though arguably 
not general use) of SQLite.

Microsoft's own .NET library is Microsoft.Data.SQLite but not all of 
Microsoft's own tools use it since it is part of a long dependency chain which 
makes compiled apps rather large.

Simon.

Cite:
[1] 

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Richard Hipp]

On 2/5/18, Drago, William @ CSG - NARDA-MITEQ  wrote:
>
> Most of the software we use here, Microsoft and other well-known and
> paid-for products,

You know that every copy of Windows comes with SQLite preinstalled,
right?  C:\Windows\System32\winsqlite3.dll
-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Drago, William @ CSG - NARDA-MITEQ]

To all that replied, thank you. Open source, not open contribution is a plus, 
so is the wide deployment and well known users (Airbus). There were many other 
good ideas mentioned like examining the source for network calls, etc. All of 
this will help me build a case in favor of SQLite.

No one here is denying the utility and value of open source software. Our IT 
dept. is following corporate mandates designed to protect our networks from 
various threats. It is understandable.

Most of the software we use here, Microsoft and other well-known and paid-for 
products, are validated by corporate before deployment, and there are regular 
scans and updates. When everyone else in the company is using Microsoft SQL 
Server Express and I'm using SQLite instead it raises eyebrows. The last thing 
we need is some rouge engineer (could be me) breaking all our centrifuges with 
"freeware from the internet" when he should have used approved software 
instead. I know SQLite is safe and secure, but the auditors only know what is 
on their lists.

Thanks again for all of your suggestions. I am a regular reader of this group 
because I learn so much.

--
Bill Drago
Staff Engineer
L3 Narda-MITEQ
435 Moreland Road
Hauppauge, NY 11788
631-272-5947 / william.dr...@l3t.com
CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of 
the intended recipient and may contain material that is proprietary, 
confidential, privileged or otherwise legally protected or restricted under 
applicable government laws. Any review, disclosure, distributing or other use 
without expressed permission of the sender is strictly prohibited. If you are 
not the intended recipient, please contact the sender and delete all copies 
without reading, printing, or saving..

Beginning April 1, 2018, L3 Technologies, Inc. will discontinue the use of all 
@L-3Com.com email addresses. To ensure delivery of your messages to this 
recipient, please update your records to use william.dr...@l3t.com.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[John Long]

On Mon, 2018-02-05 at 09:39 -0800, Jens Alfke wrote:
> > On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ  > liam.dr...@l3t.com> wrote:
> > 
> > The reliable part is easy because there is enough information on
> > the SQLite website about testing, but what about security?
> 
> Open source software is more secure than closed source, since the
> source code can be reviewed and audited.

It is considered more easy to verify, sure. But there are still some
big questions:

1. How do you know the source you're looking at is what you're running?

2. How do you know the source you're seeing is compiled correctly? Look
at the buglists for common (*cough* gcc *cough*) compilers.

3. How do you know the CPU you are running on is running the code
correctly and that it is secure? Common microprocessor vendors have
hundreds of errata for chips still being sold.

The only way to know what code is doing is to trace it on the target
hardware. We don't need source code for that. And even that could be
misleading if the hardware is broken or deliberately subverted.

>  (In the security field, closed-source cryptographic software isn’t
> even taken seriously since it’s not possible to verify its claims,
> just as scientific results need peer review and independent
> confirmation.)

That is true but perhaps closed-source cryptographic _algorithms_ are
the issue and not source code. And this is just for reference
implementations... you can still verify exactly what you have without
source code. It just takes more effort and personally I believe it's
more reliable.

I don't believe RSA or IBM or any of the other vendors have open
sourced any crypto code. I think what typically happens is when they
come up with a new standard they produce a reference implementation and
then after the contest is over they implement whatever they implement
and everybody just uses it. 

> I don’t know if this will convince your IT management though, because
> if they’re against open source they must be remarkably backward...

I don't think that is necessarily so. Many companies want/need to be
able to point fingers when something goes wrong. And they need to get
their systems working ASAP. The vast majority of open source projects
have no accountability, they're free as in beer and as long as it works
for the guys spending their time writing it they're done. Companies
(especially publicly owned and traded companies) really can not rely on
freebies and goodwill if they want to stay in business and keep their
executives out of jail. Open source quality is atrocious. Sure, a lot
of closed source quality is atrocious too. Free stuff should be
expected to be worth price paid and most of the time it is not even
that.

sqlite (and fossil!) are wonderful, wonderful projects. But there is a
sea of unsupported garbage out there and nobody who wants to keep their
job can feel safe wading through that. There is also the issue of viral
contamination of GPL, etc.

I think Dr. Hipp did everything right but even so, he is in the tiny
minority.

/jl



___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[John Found]

On Mon, 5 Feb 2018 17:21:53 +
"Drago, William @ CSG - NARDA-MITEQ"  wrote:

> All,
> 
> I've been using/loving SQLite for years, but the use of open source software 
> is highly discouraged where I work, and now I have to prove to our IT dept. 
> that SQLite is reliable and secure. The reliable part is easy because there 
> is enough information on the SQLite website about testing, but what about 
> security? How can I convince the auditors that SQLite is not stealing 
> corporate secrets and spreading viruses?
> 

The open code is actually the only code that can be proofed to be secure. The 
written guarantee is pointless actually because the malware is always 
introduced in secret. The procedure is following: 

1. Download the SQLite code from the official repository.
2. Audit the code in order to proof it does not contains 
malware/spyware/security flaws.
3. Compile the code and link it against the dependencies proofed to be secure! 
(this is important!)
4. You have SQLite proven to be secure.

The only problem is p.3, but if your company is so paranoid about security, you 
already have audited the standard 
C libraries. 


> Is there a statement somewhere on the website that guarantees that copies of 
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all 
> forms of spyware/malware/viruses/etc?
> 
> Thanks,
> --
> Bill Drago
> Staff Engineer
> L3 Narda-MITEQ
> 435 Moreland Road
> Hauppauge, NY 11788
> 631-272-5947 / william.dr...@l3t.com
> 
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use 
> of the intended recipient and may contain material that is proprietary, 
> confidential, privileged or otherwise legally protected or restricted under 
> applicable government laws. Any review, disclosure, distributing or other use 
> without expressed permission of the sender is strictly prohibited. If you are 
> not the intended recipient, please contact the sender and delete all copies 
> without reading, printing, or saving..
> 
> Beginning April 1, 2018, L3 Technologies, Inc. will discontinue the use of 
> all @L-3Com.com email addresses. To ensure delivery of your messages to this 
> recipient, please update your records to use william.dr...@l3t.com.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


-- 
http://fresh.flatassembler.net
http://asm32.info
John Found 
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Bob Friesenhahn]

On Mon, 5 Feb 2018, Jens Alfke wrote:

You can very easily prove that SQLite contains no networking code, 
so it’s incapable of accessing any network. Just search through 
sqlite3.c looking for the names of the system calls needed to open a 
socket; they don’t appear. Or more rigorously, use a 
(platform-specific) tool to dump the list of external functions 
called by the compiled SQLite library.


The default configuration of SQLite does have the possibilty of 
executing network code since it is able to load external shared 
libraries as modules and the modules can contain arbitrary code.


The security of SQLite depends on how it is built, the environment in 
which it is used, and the arguments supplied to it.


If arbitrary SQL commands can be sent into SQLite, then good luck and 
best wishes regarding security.


Bob
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,http://www.GraphicsMagick.org/
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Richard Hipp]

On 2/5/18, Drago, William @ CSG - NARDA-MITEQ  wrote:
> All,
>
> I've been using/loving SQLite for years, but the use of open source software
> is highly discouraged where I work, and now I have to prove to our IT dept.
> that SQLite is reliable and secure. The reliable part is easy because there
> is enough information on the SQLite website about testing, but what about
> security? How can I convince the auditors that SQLite is not stealing
> corporate secrets and spreading viruses?
>
> Is there a statement somewhere on the website that guarantees that copies of
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all
> forms of spyware/malware/viruses/etc?

As for SQLite itself, every byte of source code can be traced back to
the specific individual who wrote it.  Most of those bytes are from
just two people.  All contributors are either US or Australian
citizens.  Not only is every line of source code originated from a
fully vetted individual, but we have proof that every line of code is
tested.  There is no opportunity for a virus to slip in.

SQLite is open-source, but it is not open-contribution.  Do not
confuse these two concepts.  Anybody can read and use the SQLite
sources, but very few peopled are allowed to commit changes.  All
committers are personally known to me.  We do not except drive-by
patches.  SQLite does not contain code that has been copy/pasted from
the internet.  All of the code in the SQLite core is purposefully
written specifically for the SQLite core.

SDS is slightly more problematic.  The biggest chunk of that code was
inherited, and we cannot vouch for the provenance of that inherited
code.  On the other hand, we have had total control SDS since 2010,
and nothing has come up during the subsequent 8 years of development
and maintenance.  Since 2011, all check-ins to the SDS source code
have come from just 3 individuals, with all but about 8 check-ins from
a single programmer who is a US citizen and fully vetted and known
personally to me.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Igor Korot]

Hi,


On Mon, Feb 5, 2018 at 11:41 AM, Simon Slavin  wrote:
> On 5 Feb 2018, at 5:21pm, Drago, William @ CSG - NARDA-MITEQ 
>  wrote:
>
>> I've been using/loving SQLite for years, but the use of open source software 
>> is highly discouraged where I work, and now I have to prove to our IT dept. 
>> that SQLite is reliable and secure. The reliable part is easy because there 
>> is enough information on the SQLite website about testing, but what about 
>> security? How can I convince the auditors that SQLite is not stealing 
>> corporate secrets and spreading viruses?

Out of curiosity - does your company do the security scans quarterly
to make sure that the system (whatever is used) and the software you
guys provide are free for all security vulnerabilities?
As an example - here we do the scans quarterly, than check all
findings against RHSA (we use Red Hat Enterprise) and then fix them.
And then do quarterly security releases for the OS and software.

I'm sure Windows have the same Security Vulnerabilities DB where you
can check what should be fixed by the update, which will be done
automatically anyway.
And if you have a source code scanner(s) - you are in luck as you can
just check the code and fix it.

Thank you.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Jens Alfke]

> On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ 
>  wrote:
> 
> The reliable part is easy because there is enough information on the SQLite 
> website about testing, but what about security?

Open source software is more secure than closed source, since the source code 
can be reviewed and audited. (In the security field, closed-source 
cryptographic software isn’t even taken seriously since it’s not possible to 
verify its claims, just as scientific results need peer review and independent 
confirmation.)

>  How can I convince the auditors that SQLite is not stealing corporate 
> secrets and spreading viruses?

You can very easily prove that SQLite contains no networking code, so it’s 
incapable of accessing any network. Just search through sqlite3.c looking for 
the names of the system calls needed to open a socket; they don’t appear. Or 
more rigorously, use a (platform-specific) tool to dump the list of external 
functions called by the compiled SQLite library.

It should also be fairly easy to look through the code to prove that SQLite 
doesn’t open any files other than the ones specifically requested by the caller 
(plus the -wal and -shm side files) so it can’t be stealing data or writing 
viruses into system software.

I don’t know if this will convince your IT management though, because if 
they’re against open source they must be remarkably backward...

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[Simon Slavin]

On 5 Feb 2018, at 5:21pm, Drago, William @ CSG - NARDA-MITEQ 
 wrote:

> I've been using/loving SQLite for years, but the use of open source software 
> is highly discouraged where I work, and now I have to prove to our IT dept. 
> that SQLite is reliable and secure. The reliable part is easy because there 
> is enough information on the SQLite website about testing, but what about 
> security? How can I convince the auditors that SQLite is not stealing 
> corporate secrets and spreading viruses?

What's "CSG" ?  Chief of Security Group ?

The ideal way would seem to be that you download the source code and compile it 
yourself.  Which is actually the preferred way to use SQLite in the first 
place. On the download page download the top item "C source code as an 
amalgamation".  You get your own copy of the source code to inspect and compile 
as you wish.  They can spend as long as they want looking for concealed IP 
addresses and system calls.

> Is there a statement somewhere on the website that guarantees that copies of 
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all 
> forms of spyware/malware/viruses/etc?

That's harder.  How does your organisation inspect other pre-compiled libraries 
?  Does it have established uniform standards or are you suddenly being asked 
to make up your own ?

You can download the DLL from the SQLite site, and verify that the checksum is 
correct.  You can compile the DLL yourself (you may need Joe's help) and check 
to see it's a byte-for-byte copy.  You can use tools which inspect the DLL and 
show its dependencies.  You won't find anything in there that has internet 
access.  That's a pretty good first step since you can't steal information 
without internet access, and most vulnerability toolkits take their 
instructions over the internet.

If you have specific questions, post them here.  Or pay my consultancy rate.  
Heh.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Vetting SQLite

[J. King]

I'm not aware of a statement or guarantee, but the Web site provides lots of 
evidence here:



In particular, SQLite being used as part of aircraft software by Airbus should 
tell you something. 

On February 5, 2018 12:21:53 PM EST, "Drago, William @ CSG - NARDA-MITEQ" 
 wrote:
>All,
>
>I've been using/loving SQLite for years, but the use of open source
>software is highly discouraged where I work, and now I have to prove to
>our IT dept. that SQLite is reliable and secure. The reliable part is
>easy because there is enough information on the SQLite website about
>testing, but what about security? How can I convince the auditors that
>SQLite is not stealing corporate secrets and spreading viruses?
>
>Is there a statement somewhere on the website that guarantees that
>copies of SQLIte downloaded from SQLite.org and System.Data.Sqlite.org
>are free of all forms of spyware/malware/viruses/etc?
>
>Thanks,
>--
>Bill Drago
>Staff Engineer
>L3 Narda-MITEQ
>435 Moreland Road
>Hauppauge, NY 11788
>631-272-5947 / william.dr...@l3t.com
>
>CONFIDENTIALITY NOTICE: This email and any attachments are for the sole
>use of the intended recipient and may contain material that is
>proprietary, confidential, privileged or otherwise legally protected or
>restricted under applicable government laws. Any review, disclosure,
>distributing or other use without expressed permission of the sender is
>strictly prohibited. If you are not the intended recipient, please
>contact the sender and delete all copies without reading, printing, or
>saving..
>
>Beginning April 1, 2018, L3 Technologies, Inc. will discontinue the use
>of all @L-3Com.com email addresses. To ensure delivery of your messages
>to this recipient, please update your records to use
>william.dr...@l3t.com.
>___
>sqlite-users mailing list
>sqlite-users@mailinglists.sqlite.org
>http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Vetting SQLite

[Drago, William @ CSG - NARDA-MITEQ]

All,

I've been using/loving SQLite for years, but the use of open source software is 
highly discouraged where I work, and now I have to prove to our IT dept. that 
SQLite is reliable and secure. The reliable part is easy because there is 
enough information on the SQLite website about testing, but what about 
security? How can I convince the auditors that SQLite is not stealing corporate 
secrets and spreading viruses?

Is there a statement somewhere on the website that guarantees that copies of 
SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all 
forms of spyware/malware/viruses/etc?

Thanks,
--
Bill Drago
Staff Engineer
L3 Narda-MITEQ
435 Moreland Road
Hauppauge, NY 11788
631-272-5947 / william.dr...@l3t.com

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of 
the intended recipient and may contain material that is proprietary, 
confidential, privileged or otherwise legally protected or restricted under 
applicable government laws. Any review, disclosure, distributing or other use 
without expressed permission of the sender is strictly prohibited. If you are 
not the intended recipient, please contact the sender and delete all copies 
without reading, printing, or saving..

Beginning April 1, 2018, L3 Technologies, Inc. will discontinue the use of all 
@L-3Com.com email addresses. To ensure delivery of your messages to this 
recipient, please update your records to use william.dr...@l3t.com.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users