On Tue, Apr 24, 2012 at 4:22 PM, Johan Peeters <y...@secappdev.org> wrote: > I was very happy to see > http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief. > Finally some attention to the elephant in the room; what is the use of > secure coding if your software depends on third party components with > flaws? > ... > How can I be sure that the binary component my build script retrieves > from, say, Maven Central is the one released by the relevant open > source project? I know there are checksums and such, but I remain to > be convinced that this typically affords adequate protection or that > it even could do so... The problem with Maven in particular is the project stresses stability over all others. The project is more than happy to distribute stable, but buggy, code. How Stable vs Buggy is not muttually exclusive is an oxymoron to me, though.
Jeff _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________