[Biojava-dev] biojava / Security

Warth,Rainer,LAUSANNE,NRC/BAS rainer.warth at rdls.nestle.com
Thu Aug 14 17:05:12 EDT 2003 

Dear Francois,
  sorry for the slow response, I had some days of and other things were
going on as well.

I agree with you that the very fact that biojava is an open-source project
will protect it
from security issues. However, it might take a moment some melicous code is
detected by collegues and it therefore usefull to have some procedures in
place.

-1-
	This is definitively an aproach I will start to use.

-2-
	I made some attempst, but decided to leave.

Thanks again, for your help. 

Best, Rainer

-----Original Message-----
From: Francois Pepin [mailto:francois_pepin at attglobal.net]
Sent: vendredi, 25. juillet 2003 18:37
To: Warth,Rainer,LAUSANNE,NRC/BAS
Cc: 'biojava-dev at biojava.org'
Subject: Re: [Biojava-dev] biojava / Security


Hi Rainer,

As far as I know, it would be theoretically possible for someone to
submit malicious code in the CVS, but keep in mind that anyone can go
and see the code there, and a lot of the developers have this reflex
(especially since the javadoc isn't always that good). The chances of
malicious code being included and not detected are slim, but it can
still be a problem in some cases.

If this is a serious problem for your company, you have 2 basic
solutions that I can see:
1- Go over the code that you're using from Biojava and don't always use
the CVS version. Check the changes in the code by yourself when updating
from CVS (diff works wonders for that). And while you're doing that, if
you see bugs or things that can be improved, send it back to be included
in the next version.

2- Sandbox the java application as if it was an applet. This is a quick
and dirty solution and probably not worth it because the default sandbox
is probably too restrictive for you, but you can change the settings a
bit.

My advice would be to use the first one. Possibly, there's been other
people who did this and might be able to certify that a given version of
the classes are clean (if you're willing to trust them).

Francois

On Fri, 2003-07-25 at 12:06, Warth,Rainer,LAUSANNE,NRC/BAS wrote:
> Hi,
>    biojava has probably became an import part of our daily work and we
would
> not like to miss it. However, I was just recently asked within the
company,
> what would be the security risk by using software from a public project
such
> as biojava. Could it be possible that sombebody submits undesired code
into
> the biojava package, which would end up on my machine and cause harm to
our
> intranet.
>    Does anybody has some suggestions where to learn more about this type
of
> problem ? Maybe somebody can propose a good strategy to protect againt
this
> type of security risk ? 
> 
> Best, Rainer
> 
> Dr. Rainer Warth
> Research Scientist Bioinformatics
> 
> Nestle Research Center
> NESTEC LTD.
> Vers-Chez-LES-BLANC     phone: +41/21 785 87 13
> 1000 LAUSANNE 26          FAX: +41/21 785 89 25
> SWITZERLAND            e-mail: rainer.warth at rdls.nestle.com
> 
> _______________________________________________
> biojava-dev mailing list
> biojava-dev at biojava.org
> http://biojava.org/mailman/listinfo/biojava-dev

More information about the biojava-dev mailing list