-
-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Remove dependency on PeterO.Cbor package #7
Comments
Yes, it would certainly be more reliable when integrating into a software. |
@aseigler Do you think his code would be hard to copy? Repo: https://github.com/peteroupc/CBOR |
It looks like there is not much there, but it an actively maintained project so it is a double edged sword in that if we copy a point in time version of that source, we then become responsible for watching for important updates and copying those locally, whereas if we simply reference the library, it's up to the user to do all package maintenance. I can see both sides of the argument. |
I agree with you, it is actually not difficult to integrate. but I think I'll need a snapshot to deliver reliable server modules for production. |
I have a fix for this here aseigler@941bb2a and here aseigler@28e41cb but the PeterO.CBOR project file is configured to sign binaries with a PeterO.snk file which is missing. I am guessing this is a very common problem. What's the best resolution for it these days? |
That is a good question, and I have no answer for it, either. |
Best info I have found on the topic so far: https://github.com/dotnet/corefx/blob/master/Documentation/project-docs/strong-name-signing.md. |
Thank you for that, but that document doesn't discuss the other way around: What issues can happen when a new version of a library is no longer strong-named when previous versions were? Fortunately, I am now working on version 4.0 of my CBOR library (in the 4.0 branch) and will consider removing the strong name from that version. |
Thank you for joining in @peteroupc and for your work on the CBOR parser. We can definitely wait for the 4.0 package since this issue is a "long term" enhancement. The risk factor we want to remove is for example if someone were to gain control of your nuget package sometime down the line. |
The binding policy section kind of talks about a backward compatibility story, but not in a straightforward way like you describe. In the no drop-in replacement section it plainly recommends checking in the private key, the immediate thought of which makes me very uncomfortable as a foil hat wearing security practitioner. I wish they worded that sentence differently. |
* Added PeterO.Cbor as local project to close #7 * Added Chaos.NaCl as local project for EdDSA support * Added Yubico root and known aaguid to custom metadata to support trust path verification for at least some Yubico devices
For your information, the signing key for my project is now checked in. |
Thanks for letting us know! |
Decrease dependency count by removing the dependency on PeterO.Cbor and instead copy the CBOR decode implementation.
Disadvantage: No automatic updates in case of bugs in implmentation
Advantage: No package poisoning.
The text was updated successfully, but these errors were encountered: