Binary files are appropriate in a repository, for example, Apache Commons Compress contains various normal and broken compressed files in its test fixtures.
Gary On Tue, Apr 2, 2024 at 3:04 PM Mike Drob <md...@apache.org> wrote: > > Security, > > One of the interesting things coming out of the xz backdoor investigation is > the apparent use of binary data in "test files" to precipitate the backdoor. > I know that we have a "no compiled code" policy for our releases, but I have > also seen in practice that projects let binary junk in to test folders > (myself having checked in binaries to tests at least once). Is there an > opportunity here to shore up the repo contents? > > Can we do this in a way that doesn't involve inspecting each file manually > and then concluding that it needs to stay because we're testing backwards > compat for data produced by an older version of the code and we can't > actually generate anymore, so there's no action that we can take? > > This is a parallel discussion to Jarek's thread on this list regarding > provenance checks. Instead of at release time, maybe we shift some of the > checking or building to earlier in the development cycle? > > Mike > > --------------------------------------------------------------------- > To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org > For additional commands, e-mail: security-discuss-h...@community.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
