[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [orbit-dev] Evolving Orbit's Process/Policy
|
On Thu, 2019-10-24 at 10:42 +0200, Gunnar Wagenknecht wrote:
> Hi Carl,
>
> I believe this is a non-issue for a couple of reasons. We do trust the community to do the right thing. We do have a couple of checks in place to detect this, though.
>
> The way Orbit with EBR works, the malicious library must make it into Maven Central first. I think there will be many more eyes watching this than just Orbit committers. Also, the process for getting an update to an existing library into Maven Central requires some proof already that the update is coming from the project team. To my memory, the case you cited happened outside the Maven/Java community. I see it much more difficult to achieve that in the Maven world.
>
> Additionally, adding an updated version to Orbit does not automatically trigger a project using it. It still needs another contribution to the project. Thus, the project team will be aware and can do their own vetting before consuming the library.
>
> Last but not least, we still have our IP process in place. This ensures license vetting. It will not do content based reviews, though. But it will bring new possibilities around automation. Thus, I'm expecting the upcoming IP tooling to help in detecting problems quicker than before.
Thanks for taking the time to respond Gunnar. Having returned, and had
the opportunity to talk to Wayne as well, I can confirm that it has
*always* been the responsibility of committers to ensure that the 3rd
party libraries they wish to use do not behave in malicious ways.
The legal team only checks the licensing, provenance of the code, and
some anomalies, but not its behaviour.
--
Roland Grunberg
