[Biojava-dev] biojava / Security

Francois Pepin francois_pepin at attglobal.net
Fri Jul 25 17:41:25 EDT 2003 

Hi Rainer,

As far as I know, it would be theoretically possible for someone to
submit malicious code in the CVS, but keep in mind that anyone can go
and see the code there, and a lot of the developers have this reflex
(especially since the javadoc isn't always that good). The chances of
malicious code being included and not detected are slim, but it can
still be a problem in some cases.

If this is a serious problem for your company, you have 2 basic
solutions that I can see:
1- Go over the code that you're using from Biojava and don't always use
the CVS version. Check the changes in the code by yourself when updating
from CVS (diff works wonders for that). And while you're doing that, if
you see bugs or things that can be improved, send it back to be included
in the next version.

2- Sandbox the java application as if it was an applet. This is a quick
and dirty solution and probably not worth it because the default sandbox
is probably too restrictive for you, but you can change the settings a
bit.

My advice would be to use the first one. Possibly, there's been other
people who did this and might be able to certify that a given version of
the classes are clean (if you're willing to trust them).

Francois

On Fri, 2003-07-25 at 12:06, Warth,Rainer,LAUSANNE,NRC/BAS wrote:
> Hi,
>    biojava has probably became an import part of our daily work and we would
> not like to miss it. However, I was just recently asked within the company,
> what would be the security risk by using software from a public project such
> as biojava. Could it be possible that sombebody submits undesired code into
> the biojava package, which would end up on my machine and cause harm to our
> intranet.
>    Does anybody has some suggestions where to learn more about this type of
> problem ? Maybe somebody can propose a good strategy to protect againt this
> type of security risk ? 
> 
> Best, Rainer
> 
> Dr. Rainer Warth
> Research Scientist Bioinformatics
> 
> Nestle Research Center
> NESTEC LTD.
> Vers-Chez-LES-BLANC     phone: +41/21 785 87 13
> 1000 LAUSANNE 26          FAX: +41/21 785 89 25
> SWITZERLAND            e-mail: rainer.warth at rdls.nestle.com
> 
> _______________________________________________
> biojava-dev mailing list
> biojava-dev at biojava.org
> http://biojava.org/mailman/listinfo/biojava-dev

More information about the biojava-dev mailing list