169: library version pinning #272

deedayal · 2024-07-26T19:45:10Z

added new technique to close issue per @netfl0

netfl0 · 2024-11-20T13:13:54Z

ikiril01 · 2024-11-20T16:40:38Z

@deedayal thanks for the contribution! A few thoughts:

Minor syntax stuff, but the class name should not include underscores and therefore should be LibraryVersionPinning
Are there any references that you can add which support the use of this as a countermeasure?
Related to the above question, I found the following on Python dependencies: https://docs.google.com/document/d/1x_VrNtXCup75qA3glDd2fQOB2TakldwjKZ6pXaAjAfg/edit?tab=t.0. It says that there are negative security aspects to library pinning, as it means that an application could be running older versions of a library when there are newer versions available that may have fixed vulnerabilities: Second, pinning dependencies means that versions will stagnate to some extent, that users will have to persist in the use of outdated distributions even after updated versions that address, for example, security vulnerabilities are released. If a project pins dependencies, then it must be prepared to issue a new release every time there is an important release of anything the project depends on directly or indirectly, all the way down the dependency chain.

netfl0 · 2024-11-27T22:08:26Z

OBE and forthcoming source code hardening taxonomy.

169: library version pinning

f174723

netfl0 added this to the 1.0.0 milestone Nov 20, 2024

netfl0 requested a review from ikiril01 November 20, 2024 13:14

netfl0 assigned ikiril01 Nov 20, 2024

netfl0 closed this Nov 27, 2024

Provide feedback