Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Audit the opentelemetry-cpp repository for supply chain attacks #2623

Open
1 of 2 tasks
marcalff opened this issue Apr 2, 2024 · 1 comment
Open
1 of 2 tasks

[SECURITY] Audit the opentelemetry-cpp repository for supply chain attacks #2623

marcalff opened this issue Apr 2, 2024 · 1 comment
Assignees
@marcalff
Labels
bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@marcalff
Copy link
Member

marcalff commented Apr 2, 2024
edited

In light of the xz attack:

audit the opentelemetry-cpp repository for possible attack vectors.

Full list of checks to be determined.

To start with:

  • review executable permissions on files
  • audit and remove all binary files from the repository (not aware of any)
  • enforce CI to forbid binary files
  • audit binary downloads used during the build process
  • enforce checksums when appropriate
  • cutoff unnecessary dependencies when practical
  • prefer installing dependencies from the OS distribution, when practical

Subtasks:
@marcalff marcalff added the bug Something isn't working label Apr 2, 2024
@github-actions github-actions bot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 2, 2024
@marcalff
Copy link
Member Author

marcalff commented Apr 2, 2024

Upstream unnecessary permission found, seen with github submodules:

@marcalff marcalff changed the title Audit the opentelemetry-cpp repository for supply chain attacks [SECURITY] Audit the opentelemetry-cpp repository for supply chain attacks Apr 2, 2024
@marcalff marcalff added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 3, 2024
@marcalff marcalff self-assigned this Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcalff marcalff

Labels
bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marcalff