dependency-confusion
Rene Engelhard
rene at debian.org
Sun Feb 21 21:43:31 UTC 2021
Hi,
Am 21.02.21 um 09:43 schrieb Andrew Udvare:
>> On 2021-02-20, at 16:48, Jean-Baptiste Faure <jbfaure at libreoffice.org> wrote:
>>
>> Hi,
>>
>> I certainly did not understand everything in https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610, but I wonder if LibreOffice could be subject to this kind of vulnerability?
> As far as I can tell, the dependencies that LibreOffice uses in distributions are gathered manually and updated manually. So, not really.
It's not that easy. The question indeed doesn't make sense for
LibreOffice itself.
Still anything which uses those "get your dependencies randomly from
some random place in random versions and save them into your tree"
thingy like npm, pip etc. is a problem.
And LibreOffice Online *does* use npm.
So while LibreOffice itself shouldn't be affected, conceptually by using
npm LibreOffce Online is.
Regards,
Rene
More information about the LibreOffice
mailing list