Re: has GnuCash code been reviewed for security?
Hi, Please be sure to CC gnucash-user on all your replies using your mailer's Reply-To-List or Reply-All functionality. You're now getting more into topics for the development list and not the user list, but suffice it to say that GnuCash is NOT a security application, it is a financial application. You should treat it as such. The developers work hard to ensure that the program wont crash based on bogus inputs, but of course bugs still happen. Any further development-related question should be redirected to gnucash-devel. Thanks, -derek Marcus Winston writes: > OK, sure. That's fine. > > So Gnucash takes as input data from some other program that has connected to > the internet. Does GnuCash validate this data before accepting it as input? > (one example of a security protection). Does GnuCash manage its own input > buffers or does it allow the external program to manipulate the buffers (the > latter being a security risk). Just a couple examples. > -marcus > > On Wed, Nov 8, 2017 at 5:56 PM, Derek Atkins wrote: > > None of that happens in gnucash.. That is all done by GnuTLS, controlled > by AqBanking. > > -derek > Sent using my mobile device. Please excuse any typos. > > On November 8, 2017 8:54:36 PM Marcus Winston < > mar...@thechocolatehouse.net> wrote: > > I'm thinking mainly of the connection to banks, downloading > transactions. I assume its done over https or something similar. Has a > code review of that portion been conducted, to make sure it's secure > (at least, as secure as folks know how to make it)? Security > vulnerabilities abound everywhere these days... > > Thanks.' > -marcus > > On Wed, Nov 8, 2017 at 5:43 PM, Derek Atkins wrote: > > Hi, > What specifically would such a code review be looking for? > GnuCash is a financial application. It specifically does not > provide security services like encryption, leaving that to > security specific applications (like True Crypt). Passwords to > online banking are never stored. All other security is from > external providers. > > So what are you looking for? > > -derek > Sent using my mobile device. Please excuse any typos. > > On November 8, 2017 8:36:31 PM Marcus Winston < > mar...@thechocolatehouse.net> wrote: > > I've searched the web and mailing list archives for this one, > but didn't > find it. I'm just curious if GnuCash has ever gone through a > code review > specifically for security? Perhaps something like what was > done for > TrueCrypt...? > ___ > gnucash-user mailing list > gnucash-user@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-user > - > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. > -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
Re: has GnuCash code been reviewed for security?
On Thu, Nov 9, 2017 at 9:24 AM, Buddha Buck wrote: > GnuCash also doesn't do any network access, either as a client or server. > For things like financial quote lookup, it calls 3rd-party tools. That's > another way that GnuCash minimizes its security footprint. > I was thinking along these lines, but I wasn't sure enough to actually say it does no network access. For instance, it can access a remote mysql database? But perhaps this is also delegation to a mysql driver so wouldn't count? Anyway, delegation is truly the gist of it. ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
Re: has GnuCash code been reviewed for security?
GnuCash also doesn't do any network access, either as a client or server. For things like financial quote lookup, it calls 3rd-party tools. That's another way that GnuCash minimizes its security footprint. On Thu, Nov 9, 2017 at 8:44 AM Aaron Laws wrote: > On Wed, Nov 8, 2017 at 8:35 PM, Marcus Winston < > mar...@thechocolatehouse.net > > wrote: > > > I've searched the web and mailing list archives for this one, but didn't > > find it. I'm just curious if GnuCash has ever gone through a code review > > specifically for security? Perhaps something like what was done for > > TrueCrypt...? > > > There aren't many angles for Gnucash security. Data can be stored in xml or > SQL. The SQL storage security is up to the provider: mysql, sqlite, > postgres. XML is in plain text, so you'll need to secure it physically or > using your operating system. > > As Derek asks: what else would you like to know? > ___ > gnucash-user mailing list > gnucash-user@gnucash.org > https://lists.gnucash.org/mailman/listinfo/gnucash-user > - > Please remember to CC this list on all your replies. > You can do this by using Reply-To-List or Reply-All. > ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
Re: has GnuCash code been reviewed for security?
On Wed, Nov 8, 2017 at 8:35 PM, Marcus Winston wrote: > I've searched the web and mailing list archives for this one, but didn't > find it. I'm just curious if GnuCash has ever gone through a code review > specifically for security? Perhaps something like what was done for > TrueCrypt...? There aren't many angles for Gnucash security. Data can be stored in xml or SQL. The SQL storage security is up to the provider: mysql, sqlite, postgres. XML is in plain text, so you'll need to secure it physically or using your operating system. As Derek asks: what else would you like to know? ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
Re: has GnuCash code been reviewed for security?
Hi, What specifically would such a code review be looking for? GnuCash is a financial application. It specifically does not provide security services like encryption, leaving that to security specific applications (like True Crypt). Passwords to online banking are never stored. All other security is from external providers. So what are you looking for? -derek Sent using my mobile device. Please excuse any typos. On November 8, 2017 8:36:31 PM Marcus Winston wrote: I've searched the web and mailing list archives for this one, but didn't find it. I'm just curious if GnuCash has ever gone through a code review specifically for security? Perhaps something like what was done for TrueCrypt...? ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All. ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
has GnuCash code been reviewed for security?
I've searched the web and mailing list archives for this one, but didn't find it. I'm just curious if GnuCash has ever gone through a code review specifically for security? Perhaps something like what was done for TrueCrypt...? ___ gnucash-user mailing list gnucash-user@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-user - Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.