> On Feb 5, 2018, at 9:21 AM, Drago, William @ CSG - NARDA-MITEQ > <william.dr...@l3t.com> wrote: > > The reliable part is easy because there is enough information on the SQLite > website about testing, but what about security?
Open source software is more secure than closed source, since the source code can be reviewed and audited. (In the security field, closed-source cryptographic software isn’t even taken seriously since it’s not possible to verify its claims, just as scientific results need peer review and independent confirmation.) > How can I convince the auditors that SQLite is not stealing corporate > secrets and spreading viruses? You can very easily prove that SQLite contains no networking code, so it’s incapable of accessing any network. Just search through sqlite3.c looking for the names of the system calls needed to open a socket; they don’t appear. Or more rigorously, use a (platform-specific) tool to dump the list of external functions called by the compiled SQLite library. It should also be fairly easy to look through the code to prove that SQLite doesn’t open any files other than the ones specifically requested by the caller (plus the -wal and -shm side files) so it can’t be stealing data or writing viruses into system software. I don’t know if this will convince your IT management though, because if they’re against open source they must be remarkably backward... —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
