Reply to post: What you describe is convenience, not sense

Chef roasted for tech contract with family-separating US immigration, forks up attempt to quash protest

Woodnag

What you describe is convenience, not sense

When a release is approved, it should be rebuilt with all the libraries pulled and stored locally, and that binary shipped. This way, and only this way, can the build be described as frozen and repeatable. Of course it's a pain. But the first time you try to compile you create a script with all pulls to make it easier next time.

You can also audit whether different code portions are calling different versions of the same library.

Think that's silly? See HCSEC_OversightBoardReport-2019.pdf at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf where Huawei's code used "6 copies of 2 different OpenSSL versions, with 5 being 1.0.2k and one fork from a vendor SDK. There remained 17 partial copies of 3 versions, ranging from 0.9.7d to 1.0.2k. The fragments from the 10 different versions of OpenSSL remained across the codebase as do the OpenSSL derived files that have been modified by Huawei. More worryingly, the later version appears to contain code that is vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating back to 2006. This shows the lack of maintainability and security resulting from the poor configuration management, product architecture and component lifecycle management."

Lastly, repositaries are other peoples' computers. Use them, don't depend on them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2019