Comments (5)
I see you point, but I don't want to maintain this deps manually.
How serious this flaw is in your opinion?
P.S. libevent uses more or less trusted plugins
from libevent.
Hi @azat!
First, answering your question:
According to Scorecard Documentation, Pinning your dependencies is a measure of Medium priority. Considering your specific case, I'd also say it'd fit as a flaw of medium risk, considering that you indeed have dangerous permissions with unpinned deps, but those deps are quite trustful (e.g. the ones from github itself).
Now complementing my answer:
I'm not sure I understood what you meant by "maintain the deps manually", but are you considering the help from the Dependency-Update-Tools? They would make sure to automatically create PRs updating your dependencies at the pace that conveys to your demands. I.e., we can configure it to create PRs only updating major versions, only minors, only security updates, etc.
That said, having a Dependency-Update-Tool is also a requirement from Scorecard, and one of High priority (mostly for making sure you'd have access to security updates as soon as they're released). So I'd suggest that you consider this, independently of your decision around hash-pinning the dependencies =).
Let me know your thoughts and I can act on a PR with whatever you decide.
from libevent.
I'm not sure I understood what you meant by "maintain the deps manually", but are you considering the help from the Dependency-Update-Tools? They would make sure to automatically create PRs updating your dependencies at the pace that conveys to your demands. I.e., we can configure it to create PRs only updating major versions, only minors, only security updates, etc.
To be honest, I don't see the difference in this case, from my point of view, it will improve the security only if someone will take a look at the plugins/changes before update, if some bot will do this, then it does not looks better then simply using official tags.
from libevent.
Hi @azat, That's a very valid concern and we have even created the issue ossf/scorecard#3549 to clarify this differences (we're still pending to update the issue with our conclusions).
The main advantage is that by hashpinning dependencies and using a Dependency-Update-Tools, your dependencies won't be updated right after the new version is released. So you have a larger time period to ensure any malicious releases are detected by the community before they're consumed by your project.
As an example, consider this attack on python ecosystem. In summary, the ctx
python package was compromised and the project reference in pypi was replaced by a malicious version -- i.e., every project that installed this dependency without proper pinning had the malicious version installed. This ctx
problem was detected by the community ~1 week after the attack.
Considering the example, if the dependency was pinned and a Dependency-Update-Tool was used, there would be considerabe changes that the problem would be detected before the new version was suggested to you and/or you merged the Dependabot PR. That's even clearer when you consider that Dependabot doesn't suggest updates to version that has a CVE registered, and you could also choose to update your versions only after some time the new version was released.
from libevent.
Related Issues (20)
- The code has a null pointer problem in release-2.1.12-stable HOT 1
- Test failures on freebsd in case of parallel runs
- 2.1.12-stable fails test/regress type tests on FreeBSD 14.0 AMD64 HOT 2
- epoll_pwait2 only supported by recent valgrind
- Compile error in wepoll.c with mingw from ubuntu-22.04.2
- Incorrect CMAKE_INSTALL_RPATH HOT 1
- http.c evhttp_make_request can`t send message by vrf network HOT 9
- nameserver_probe_callback() accesses a nameserver object freed by evdns_base_clear_nameservers_and_suspend() HOT 6
- Support for `visionos` as a platform HOT 5
- Compile error in bufferevent_openssl.c w/ MSVC HOT 2
- add a param (ev_misalign_t misalign) to function evbuffer_add_reference HOT 3
- Libevent 2.2 stable release
- Warnings reported by Infer HOT 2
- Bug in make_ws_frame (ws.c), bug in get_ws_frame (ws.c) HOT 1
- Which version is currently most suitable for libevent? HOT 2
- How to get the reqeust queue length of one evhttp_connection? HOT 1
- libevent debugging HOT 1
- [bug] Event activated by event_active on another thread may loss while event timeout HOT 4
- clang: error: linker command failed with exit code 1 (use -v to see invocation) make[1]: *** [sample/le-proxy] Error 1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from libevent.