[erlang-questions] where did my code come from?

David Goehrig dave@REDACTED
Wed Sep 14 01:29:29 CEST 2011


On Sep 13, 2011, at 4:28 PM, Jakob Praher <jakob@REDACTED> wrote:

> What about security issues - can you trust www.a.b even if it depends on
> some internal modules (that are not sandboxed)?

Do you trust the code you download via cpan, gems, easy_install, npm, yum, apt, or your favorite module system here?

Even if you have PGP signatures and programmatically check them, you still implicitly trust the developer whose code you are using. The best you can do is lock down to an assumed good state and save the hash. 

My suspicion is in the long term systems will continue to be so complex no one will be able to verify trust, and we'll adapt by living with a certain level of insecurity and abuse. 

Dave


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20110913/e27aec15/attachment.htm>


More information about the erlang-questions mailing list