Dependency confusion

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

LikesCookies

Brian Tillman
Sep 23, 2020
29
5
In SN 807, Steve talks about confusion in dependencies when building services. He said it's hard to guard against something like that. Wouldn't it help to have a manifest with hashes of each module in the build that could be checked to make sure there were no unexpected modules included due to confusion?
 
have a manifest with hashes of each module
Yes, I had had the same though as well. The upside would be as you have proposed, it would lock in a set of dependencies. The downside is that some software evolves frequently/rapidly, and it would prevent the automatic inclusion of updated (bug/security fixed) dependencies.
 
slow the evolution
Well it depends on whether that was a security fix your were expecting to pick up from a dependency. Many of us use dependencies without knowing the intricacies of their construction because there's not enough time in the world to understand everything when deadlines loom.
 
This situation is truly horrible. Building hybrid code from inside and outside your network disturbs me, it also strengthens the need to have code reviews and perhaps a method to flag internalised components in the repo as pull-from-internal.

Our lovely CIA triad is kicking in here with the I and A being strong. You want to ensure the integrity of the code you're pulling into an internal product and you want to ensure the version you have verified and validated (with scanning, testing) remains constant so that you don't break your application the next time you pull everything together from source.