Johan, Since each git commit is SHA-1 and is popular with open source projects then it would be possible incorporate them as a "submodule" as part of your larger superproject within git but it does have some limitations outlined within http://stackoverflow.com/questions/996164/is-anyone-really-using-git-super-subprojects
Let me know if this addresses your concern or if I am way off? On Wed, Apr 25, 2012 at 6:22 AM, Johan Peeters <y...@secappdev.org> wrote: > These points are important. However, I am also concerned about > component distribution. > How can I be sure that the binary component my build script retrieves > from, say, Maven Central is the one released by the relevant open > source project? I know there are checksums and such, but I remain to > be convinced that this typically affords adequate protection or that > it even could do so. If my fears are well-founded, current > distribution mechanisms of open source components provide the ideal > opportunity for installing back-doors on the server side. > I hope I am just being paranoid and the authors neglected to talk > about distribution because it is obviously secure. I certainly would > have been happier if distribution had been analysed and found secure, > or, even, not terribly insecure. > Does anyone else share these concerns? Or can anyone allay my fears? -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
