Skip to content
This repository has been archived by the owner on Mar 5, 2021. It is now read-only.

Vendor dependencies to manage risk of source compromise #24

Open
DanielHeath opened this issue May 16, 2014 · 2 comments
Open

Vendor dependencies to manage risk of source compromise #24

DanielHeath opened this issue May 16, 2014 · 2 comments
Labels
trustworthiness

Comments

@DanielHeath
Copy link

If one of the upstream providers injects malicious code, anyone who builds credulous from source will get it by default.

An alternative is to vendor upstream sources (by e.g. checking copies into this repo); this means that updates are pulled in by the Credulous team rather than automatically sent to anyone who builds from source.
@DanielHeath
Copy link
Author

This would also remove the bzr dependency.

@nonspecialist
Copy link
Collaborator

Yeah, this is probably a good thing to do a little later on, when the frantic pace of change slows a little.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
trustworthiness
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DanielHeath @nonspecialist