-
-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V14.2.7 - move to V10 #2167
Comments
This does not seem clear enough to me. We need more detail, IMO. How about: Verify that third-party components are sourced from distinct, verifiable repositories separate from internally developed applications to prevent dependency confusion attacks. Implement rigorous validation processes, including signature verification and integrity checks, for all external dependencies. Additionally, monitor third-party repositories for updates and vulnerabilities to reduce the risk of malicious injection or supply chain attacks. |
"dependency confusion" is an attack against build-process and it is not something you going to check or fix with documentation. Implementation process itself we considered to be out of scope - it is out of the application's responsibility, at the same time, we can not ignore this issue. So we need to set the focus to the outcome - the built program code. Something like:
|
@elarlang how about:
|
Ok for me. For section, it still seems dependency and can be together with current 14.2.1 and to be moved to V10? |
So we would create a new dependency section v10.6? |
Or is this an architecture thing? |
For me it's solving a dependency issue, not the application architecture. So, my proposal is to move current section V14.2 to V10.6. |
Spin-off from #2088, the requirement comes in via #899
For me, it is not a configuration requirement. I think it is again something to "V10.X software architecture" or "Handling software components".
The text was updated successfully, but these errors were encountered: