Re: has GnuCash code been reviewed for security?

2017-11-09 Thread Derek Atkins 
Hi,

Please be sure to CC gnucash-user on all your replies using your
mailer's Reply-To-List or Reply-All functionality.

You're now getting more into topics for the development list and not the
user list, but suffice it to say that GnuCash is NOT a security
application, it is a financial application.  You should treat it as
such.  The developers work hard to ensure that the program wont crash
based on bogus inputs, but of course bugs still happen.

Any further development-related question should be redirected to
gnucash-devel.

Thanks,

-derek

Marcus Winston  writes:

> OK, sure. That's fine. 
>
> So Gnucash takes as input data from some other program that has connected to
> the internet. Does GnuCash validate this data before accepting it as input?
> (one example of a security protection). Does GnuCash manage its own input
> buffers or does it allow the external program to manipulate the buffers (the
> latter being a security risk). Just a couple examples.
> -marcus
>
> On Wed, Nov 8, 2017 at 5:56 PM, Derek Atkins  wrote:
>
> None of that happens in gnucash..  That is all done by GnuTLS, controlled
> by AqBanking.
>
> -derek
> Sent using my mobile device. Please excuse any typos.
>
> On November 8, 2017 8:54:36 PM Marcus Winston <
> mar...@thechocolatehouse.net> wrote:
>
> I'm thinking mainly of the connection to banks, downloading
> transactions. I assume its done over https or something similar. Has a
> code review of that portion been conducted, to make sure it's secure
> (at least, as secure as folks know how to make it)? Security
> vulnerabilities abound everywhere these days...
>
> Thanks.'
> -marcus
>
> On Wed, Nov 8, 2017 at 5:43 PM, Derek Atkins  wrote:
>
> Hi,
> What specifically would such a code review be looking for?
> GnuCash is a financial application. It specifically does not
> provide security services like encryption, leaving that to
> security specific applications (like True Crypt).  Passwords to
> online banking are never stored. All other security is from
> external providers.
>
> So what are you looking for?
>
> -derek
> Sent using my mobile device. Please excuse any typos.
>
> On November 8, 2017 8:36:31 PM Marcus Winston <
> mar...@thechocolatehouse.net> wrote:
>
> I've searched the web and mailing list archives for this one,
> but didn't
> find it. I'm just curious if GnuCash has ever gone through a
> code review
> specifically for security? Perhaps something like what was
> done for
> TrueCrypt...?
> ___
> gnucash-user mailing list
> gnucash-user@gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
>

-- 
   Derek Atkins 617-623-3745
   de...@ihtfp.com www.ihtfp.com
   Computer and Internet Security Consultant
___
gnucash-user mailing list
gnucash-user@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.

Re: has GnuCash code been reviewed for security?

2017-11-09 Thread Aaron Laws 
On Thu, Nov 9, 2017 at 9:24 AM, Buddha Buck  wrote:

> GnuCash also doesn't do any network access, either as a client or server.
> For things like financial quote lookup, it calls 3rd-party tools. That's
> another way that GnuCash minimizes its security footprint.
>

I was thinking along these lines, but I wasn't sure enough to actually say
it does no network access. For instance, it can access a remote mysql
database? But perhaps this is also delegation to a mysql driver so wouldn't
count? Anyway, delegation is truly the gist of it.
___
gnucash-user mailing list
gnucash-user@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.

Re: has GnuCash code been reviewed for security?

2017-11-09 Thread Aaron Laws 
On Wed, Nov 8, 2017 at 8:35 PM, Marcus Winston  wrote:

> I've searched the web and mailing list archives for this one, but didn't
> find it. I'm just curious if GnuCash has ever gone through a code review
> specifically for security? Perhaps something like what was done for
> TrueCrypt...?


There aren't many angles for Gnucash security. Data can be stored in xml or
SQL. The SQL storage security is up to the provider: mysql, sqlite,
postgres. XML is in plain text, so you'll need to secure it physically or
using your operating system.

As Derek asks: what else would you like to know?
___
gnucash-user mailing list
gnucash-user@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.

Re: has GnuCash code been reviewed for security?

2017-11-08 Thread Derek Atkins 

Hi,
What specifically would such a code review be looking for?
GnuCash is a financial application. It specifically does not provide 
security services like encryption, leaving that to security specific 
applications (like True Crypt).  Passwords to online banking are never 
stored. All other security is from external providers.


So what are you looking for?

-derek
Sent using my mobile device. Please excuse any typos.



On November 8, 2017 8:36:31 PM Marcus Winston 
 wrote:



I've searched the web and mailing list archives for this one, but didn't
find it. I'm just curious if GnuCash has ever gone through a code review
specifically for security? Perhaps something like what was done for
TrueCrypt...?
___
gnucash-user mailing list
gnucash-user@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.



___
gnucash-user mailing list
gnucash-user@gnucash.org
https://lists.gnucash.org/mailman/listinfo/gnucash-user
-
Please remember to CC this list on all your replies.
You can do this by using Reply-To-List or Reply-All.