On 2/5/18, Drago, William @ CSG - NARDA-MITEQ <william.dr...@l3t.com> wrote:
> All,
> I've been using/loving SQLite for years, but the use of open source software
> is highly discouraged where I work, and now I have to prove to our IT dept.
> that SQLite is reliable and secure. The reliable part is easy because there
> is enough information on the SQLite website about testing, but what about
> security? How can I convince the auditors that SQLite is not stealing
> corporate secrets and spreading viruses?
> Is there a statement somewhere on the website that guarantees that copies of
> SQLIte downloaded from SQLite.org and System.Data.Sqlite.org are free of all
> forms of spyware/malware/viruses/etc?

As for SQLite itself, every byte of source code can be traced back to
the specific individual who wrote it.  Most of those bytes are from
just two people.  All contributors are either US or Australian
citizens.  Not only is every line of source code originated from a
fully vetted individual, but we have proof that every line of code is
tested.  There is no opportunity for a virus to slip in.

SQLite is open-source, but it is not open-contribution.  Do not
confuse these two concepts.  Anybody can read and use the SQLite
sources, but very few peopled are allowed to commit changes.  All
committers are personally known to me.  We do not except drive-by
patches.  SQLite does not contain code that has been copy/pasted from
the internet.  All of the code in the SQLite core is purposefully
written specifically for the SQLite core.

SDS is slightly more problematic.  The biggest chunk of that code was
inherited, and we cannot vouch for the provenance of that inherited
code.  On the other hand, we have had total control SDS since 2010,
and nothing has come up during the subsequent 8 years of development
and maintenance.  Since 2011, all check-ins to the SDS source code
have come from just 3 individuals, with all but about 8 check-ins from
a single programmer who is a US citizen and fully vetted and known
personally to me.

D. Richard Hipp
sqlite-users mailing list

Reply via email to