[nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.

• From: derek riemer <driemer.riemer@xxxxxxxxx>
• To: nvda-addons@xxxxxxxxxxxxx
• Date: Fri, 8 Apr 2016 12:43:24 -0600

For your information:
The sha256 hash of the sconstruct currently is:
bb8c1bb8551645ce39af513d5f90f68186a79f7ea3cdb2c7acb0b5c42a0db1dc
If you are doing code review, feel free to match against that.

On 4/8/2016 12:38 PM, Joseph Lee wrote:

Hi,

Official builds: this is a gray area. I usually build official builds on behalf of other authors, and I think it’s up to the author to decide (I build maintenance versions of my add-ons myself if there are patches that should go out fast).

Cheers,

Joseph

*From:*nvda-addons-bounce@xxxxxxxxxxxxx [mailto:nvda-addons-bounce@xxxxxxxxxxxxx] *On Behalf Of *derek riemer
*Sent:* Friday, April 8, 2016 11:36 AM
*To:* nvda-addons@xxxxxxxxxxxxx
*Subject:* [nvda-addons] Automate checks to ensure malicious content isn't put in the sconstruct files.

Hi guys,
I am wondering if we can automate the process of making sure that addon sconstructfiles don't change. Many reviewers might not realize, but sconstruct file and buildvars are just as important to code review. They run python code, and can insert whatever they want into the addon. I am tempted to write automatic code review infrastructure to hash the sconstruct and check it against a golden sconstruct. Also, we could ensure if it changes between versions, the build fails until we update the hash after a code review. In this way, the author doesn't insert some folder on their local machine into the official add-on. Also, should we provide a community guideline that says the official build cannot be built by the author?
Just some thoughts, I have never seen an evil sconstruct, this is purely theoretical.

--

------------------------------------------------------------------------


    Derek Riemer

  * Department of computer science, third year undergraduate student.
  * Proud user of the NVDA screen reader.
  * Open source enthusiast.
  * Member of Bridge Cu
  * Avid skiier.

Websites:
Honors portfolio <http://derekriemer.com>
Awesome little hand built weather app! <http://django.derekriemer.com/weather/>

email me at derek.riemer@xxxxxxxxxxxx <mailto:derek.riemer@xxxxxxxxxxxx>
Phone: (303) 906-2194

--
------------------------------------------------------------------------


   Derek Riemer

 * Department of computer science, third year undergraduate student.
 * Proud user of the NVDA screen reader.
 * Open source enthusiast.
 * Member of Bridge Cu
 * Avid skiier.

Websites:
Honors portfolio <http://derekriemer.com>
Awesome little hand built weather app! <http://django.derekriemer.com/weather/>

email me at derek.riemer@xxxxxxxxxxxx <mailto:derek.riemer@xxxxxxxxxxxx>
Phone: (303) 906-2194

• References:
  • [nvda-addons] Automate checks to ensure malicious content isn't put in the sconstruct files.
    • From: derek riemer
  • [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.
    • From: Joseph Lee

Other related posts:

• » [nvda-addons] Automate checks to ensure malicious content isn't put in the sconstruct files.- derek riemer
• » [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.- Joseph Lee
• » [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.- derek riemer
• » [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files. - derek riemer
• » [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.- James Teh
• » [nvda-addons] Re: Automate checks to ensure malicious content isn't put in the sconstruct files.- derek riemer

1. Home
2. nvda-addons
3. Archive
4. 04-2016

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---