Open source project that uses closed source DLLs? #221
Comments
|
I just want to add a little more. Since this script can require administrator privileges, extra care should be taken to assure any pre-complied libraries are clean. This can be done by 1) Provide the SHA256 that can be compared to an SHA256 published authoritative source; 2) Document where to download the libraries manually from an authoritative source; or, 3) link to the source code so they can be manually built. It's fundamentally dangerous to give administrative access to an executable with an unknown provenance or that disclaims liability. |
|
I could be mistaken but I believe the libraries come from a dependent module and are from the WSUS RSAT tools, or part of the WSUS installation. Most code on the Internet doesn't provide warranty or liability, so the onus is on you to ensure security for you use case of the code in your environment. If you have concerns or it doesn't meet your standards, don't use it and roll your own solution. |
|
I never said nor implied there was a warranty or liability. I'm pointing out the dangers of this and other repos that include precompiled binaries that cannot be readily verified by the end user. It's common for repos, at least in the professional server realm, to have SHA256 verifications on all the precompiled binaries. My suggestion for this project is:
|
Where are the sources for all the DLLs? How can I be absolutely sure the DLLs in this project haven't been modified?
The text was updated successfully, but these errors were encountered: