summary refs log tree commit diff stats
path: root/results/scraper/box64/1789
diff options
context:
space:
mode:
Diffstat (limited to 'results/scraper/box64/1789')
-rw-r--r--results/scraper/box64/178916
1 files changed, 16 insertions, 0 deletions
diff --git a/results/scraper/box64/1789 b/results/scraper/box64/1789
new file mode 100644
index 000000000..e6caf3351
--- /dev/null
+++ b/results/scraper/box64/1789
@@ -0,0 +1,16 @@
+Where did those libraries come from?
+I have been asked by my employer to install box64 for our developers to use. I do not use it myself.

+

+When doing so I discovered that its build system attempts to install some x86 libraries that it needs. It installs them in a way which could replace the libraries provided by the operating system and the particular libraries which would be installed got me very concerned because they cover network encryption, password validation and DNS resolution, which are highly sensitive, and so I looked in the documentation and git history for where these libraries had been taken from and found nothing.

+

+I understand that a project of this nature might need to include some x86 libraries in order to function but the documentation should say clearly where they come from so that the binary files included in git can be compared with their upstream and sysadmins such as me can be assured that the files are legitimate and don't include some sort of malware.

+

+Please note that I am NOT accusing you of shipping malware. Also the files have been verified by our security team, who have given them a pass.

+

+It's just that the way that these binary files are distributed and installed *looks* like somebody trying to spread malware.

+

+At the very least I need to know where these binaries come from before I can install them on our systems so that I can verify that they are the same files provided by the upstream vendors. It would also be nice if they weren't blindly installed into /usr/lib.

+

+Ideally I would also like the documentation to explain why these files need to be included at all. Again, it makes perfect sense that *some* original x86 binaries would be required but the services these particular libraries provide (except PNG) are some of the most security-critical and so just seeing those filenames makes me extremely wary.

+

+In short: Please describe exactly where every binary file in the box64 source repository comes from so that the distributed files can be compared to their originals.
\ No newline at end of file