Hi,
Official builds: this is a gray area. I usually build official builds on behalf
of other authors, and I think it’s up to the author to decide (I build
maintenance versions of my add-ons myself if there are patches that should go
out fast).
Cheers,
Joseph
From: nvda-addons-bounce@xxxxxxxxxxxxx
[mailto:nvda-addons-bounce@xxxxxxxxxxxxx] On Behalf Of derek riemer
Sent: Friday, April 8, 2016 11:36 AM
To: nvda-addons@xxxxxxxxxxxxx
Subject: [nvda-addons] Automate checks to ensure malicious content isn't put in
the sconstruct files.
Hi guys,
I am wondering if we can automate the process of making sure that addon
sconstructfiles don't change. Many reviewers might not realize, but sconstruct
file and buildvars are just as important to code review. They run python code,
and can insert whatever they want into the addon. I am tempted to write
automatic code review infrastructure to hash the sconstruct and check it
against a golden sconstruct. Also, we could ensure if it changes between
versions, the build fails until we update the hash after a code review. In this
way, the author doesn't insert some folder on their local machine into the
official add-on. Also, should we provide a community guideline that says the
official build cannot be built by the author?
Just some thoughts, I have never seen an evil sconstruct, this is purely
theoretical.
--
_____
Derek Riemer
* Department of computer science, third year undergraduate student.
* Proud user of the NVDA screen reader.
* Open source enthusiast.
* Member of Bridge Cu
* Avid skiier.
Websites:
Honors portfolio <http://derekriemer.com>
Awesome little hand built weather app! <http://django.derekriemer.com/weather/>
email me at derek.riemer@xxxxxxxxxxxx <mailto:derek.riemer@xxxxxxxxxxxx>
Phone: (303) 906-2194
