Hi, Am 21.02.21 um 09:43 schrieb Andrew Udvare: >> On 2021-02-20, at 16:48, Jean-Baptiste Faure <jbfaure@xxxxxxxxxxxxxxx> wrote: >> >> Hi, >> >> I certainly did not understand everything in https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610, but I wonder if LibreOffice could be subject to this kind of vulnerability? > As far as I can tell, the dependencies that LibreOffice uses in distributions are gathered manually and updated manually. So, not really. It's not that easy. The question indeed doesn't make sense for LibreOffice itself. Still anything which uses those "get your dependencies randomly from some random place in random versions and save them into your tree" thingy like npm, pip etc. is a problem. And LibreOffice Online *does* use npm. So while LibreOffice itself shouldn't be affected, conceptually by using npm LibreOffce Online is. Regards, Rene _______________________________________________ LibreOffice mailing list LibreOffice@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: dependency-confusion
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: dependency-confusion
- From: Rene Engelhard <rene@xxxxxxxxxx>
- Date: Sun, 21 Feb 2021 22:43:31 +0100
- Cc: libreoffice@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <7E631D93-E3BE-4970-9448-CBF894E985D8@gmail.com>
- Organization: Debian Project
- References: <476871a8-bf37-78eb-77bb-fe309fcc8c0c@libreoffice.org> <7E631D93-E3BE-4970-9448-CBF894E985D8@gmail.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
- Follow-Ups:
- Re: dependency-confusion
- From: Andrew Udvare
- Re: dependency-confusion
- References:
- dependency-confusion
- From: Jean-Baptiste Faure
- Re: dependency-confusion
- From: Andrew Udvare
- dependency-confusion
- Prev by Date: Re: dependency-confusion
- Next by Date: Re: dependency-confusion
- Previous by thread: Re: dependency-confusion
- Next by thread: Re: dependency-confusion
- Index(es):
 |