• GolfNovemberUniform
    link
    fedilink
    arrow-up
    4
    arrow-down
    4
    ·
    4 个月前

    Update plugin com.android.test to v8.5.0 by @renovate in #1561

    Was it properly checked for backdoor injections?

    • Corngood
      link
      fedilink
      arrow-up
      7
      ·
      4 个月前

      Is there a reason you’re suspicious about that particular dependency, or are you just asking about dependencies in general?

      • GolfNovemberUniform
        link
        fedilink
        arrow-up
        2
        arrow-down
        2
        ·
        edit-2
        4 个月前

        I’m worried about that one specifically. Dependencies in general can be suspicious if they come from untrusted sources but in that case it’s suspicious by being related to testing (like the xz thing was) that shouldn’t even be in a released app anyways.

        • pingveno
          link
          fedilink
          English
          arrow-up
          3
          ·
          4 个月前

          It’s not included in the final build artifact. It’s a Gradle plugin.

    • DessalinesOPMA
      link
      fedilink
      arrow-up
      6
      ·
      edit-2
      4 个月前

      What’s the context there? We update dependencies very frequently.

        • DessalinesOPMA
          link
          fedilink
          arrow-up
          7
          ·
          4 个月前

          I have no idea what this means. Why is the android testing dependency is less secure than all the other android deps we’ve updated?

    • mannycalavera@feddit.uk
      link
      fedilink
      arrow-up
      4
      ·
      4 个月前

      If you have a security concern you should raise this with Google using a minimal working example to demonstrate yourself.

      Do you have a genuine concern and can you provide a working example of the attack surface in a repository that you can share?

      • GolfNovemberUniform
        link
        fedilink
        arrow-up
        2
        arrow-down
        3
        ·
        4 个月前

        Check the code for suspicious lines and then check the compiled app for network traffic etc

        • DessalinesOPMA
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          4 个月前

          There were dozens of dependency upgrades in this release, I have no idea why you think this specific one has security issues. Either way we don’t have time to read through every line of code of every dep update, but here’s the source code: https://android.googlesource.com/platform/tools/base

          If you find something, you might want to submit a PR as it would affect not just ours, but a lot of android projects.

          • GolfNovemberUniform
            link
            fedilink
            arrow-up
            1
            arrow-down
            3
            ·
            4 个月前

            Reading through the code of the dependency is not required. What is required is reading through the merge request to see if the dependency isn’t used for malicious or wasteful purposes. Checking on the authenticity of the dependency is a good idea too.