Make source acceptable in Debian?

Petter Reinholdtsen pere at hungry.com
Wed Nov 9 12:28:40 CET 2016


Hi Thomas.

[Thomas Sødring]
> My current thinking is that I want to keep the project source up to
> date with libraries that the project is based on. This means that the
> project will always use the latest versions of hibernate, spring etc
> (where there are no conflicts). But this *only* applies at compile
> time.

My starting point is that systems like the NSA project Irritant Horn
describe do exist, and HTTP and HTTPS connections can be hijacked as one
connect to download dependencies.  There are ways to guard against this,
for example by storing checksums alongside the URL to use while
downloading, and always verify the checksum after downloading.  As far
as I can see, maven do not do this, leading to the risk that what I
download and you download isn't the same - and it is used to compromise
my machine.  This seem like a bad starting point for a filing system
that should be able to store the sensitive personal information of
citizens.

Next there is the challenge of providing help and support to those using
the system, while it is hard or impossible to know which version of
dependencies they happened to download.  If I build one day and you
another, it isn't given which version of dependencies we installed if
"the latest versions" is the aim.

For system integrators and security managers there is the added
complication with working with multiple versions of the same libraries.
Say product X need library L version 1 and product Y need library L
version 2.  As product Z and the rest of the alphabet is introduced, it
soon become impossible to find a version of library L that can work with
all the products.  And when a security issue in library L show up,
upgrading to a version where the security issue is fixed become
impossible.
 
> My first choice of distribution model is docker, that will work its way
> into the project soon.

Do you intend to have the SQL database inside or outside docker?  As I
understand it, docker installations are upgraded by throwing away the
image and starting afresh, which isn't a great way to upgrade databases.

> So I guess the discussion is about compile time versus runtime.

My focus is compile time downloads.

-- 
Happy hacking
Petter Reinholdtsen


More information about the nikita-noark mailing list