[Biojava-dev] biojava / Security

Chris Abajian chrisa at espressosoftware.com
Fri Jul 25 18:57:22 EDT 2003 

It would increase my confidence if biojava.org posted signed MD5
checksums of the binary tarballs.  Although to be honest, I just install
them and don't give it a second thought ;-)

On Fri, 2003-07-25 at 09:36, Francois Pepin wrote:
> Hi Rainer,
> 
> As far as I know, it would be theoretically possible for someone to
> submit malicious code in the CVS, but keep in mind that anyone can go
> and see the code there, and a lot of the developers have this reflex
> (especially since the javadoc isn't always that good). The chances of
> malicious code being included and not detected are slim, but it can
> still be a problem in some cases.
> 
> If this is a serious problem for your company, you have 2 basic
> solutions that I can see:
> 1- Go over the code that you're using from Biojava and don't always use
> the CVS version. Check the changes in the code by yourself when updating
> from CVS (diff works wonders for that). And while you're doing that, if
> you see bugs or things that can be improved, send it back to be included
> in the next version.
> 
> 2- Sandbox the java application as if it was an applet. This is a quick
> and dirty solution and probably not worth it because the default sandbox
> is probably too restrictive for you, but you can change the settings a
> bit.
> 
> My advice would be to use the first one. Possibly, there's been other
> people who did this and might be able to certify that a given version of
> the classes are clean (if you're willing to trust them).
> 
> Francois
> 
> On Fri, 2003-07-25 at 12:06, Warth,Rainer,LAUSANNE,NRC/BAS wrote:
> > Hi,
> >    biojava has probably became an import part of our daily work and we would
> > not like to miss it. However, I was just recently asked within the company,
> > what would be the security risk by using software from a public project such
> > as biojava. Could it be possible that sombebody submits undesired code into
> > the biojava package, which would end up on my machine and cause harm to our
> > intranet.
> >    Does anybody has some suggestions where to learn more about this type of
> > problem ? Maybe somebody can propose a good strategy to protect againt this
> > type of security risk ? 
> > 
> > Best, Rainer
> > 
> > Dr. Rainer Warth
> > Research Scientist Bioinformatics
> > 
> > Nestle Research Center
> > NESTEC LTD.
> > Vers-Chez-LES-BLANC     phone: +41/21 785 87 13
> > 1000 LAUSANNE 26          FAX: +41/21 785 89 25
> > SWITZERLAND            e-mail: rainer.warth at rdls.nestle.com
> > 
> > _______________________________________________
> > biojava-dev mailing list
> > biojava-dev at biojava.org
> > http://biojava.org/mailman/listinfo/biojava-dev
> 
> _______________________________________________
> biojava-dev mailing list
> biojava-dev at biojava.org
> http://biojava.org/mailman/listinfo/biojava-dev
-- 
Chris Abajian
Espresso Software Development, L.L.C.
http://espressosoftware.com
206.910.4903

Espresso Software Development provides software development and
consulting services. We develop, deploy and support scalable,
multi-tiered, high-availability web, e-commerce and data-processing
applications.

More information about the biojava-dev mailing list