Can dependencies be trusted?
Closed this issue · 4 comments
We are in a highly secured environment and I am currently in a test phase for SecretManagement/Microsoft.PowerShell.SecretStore
I did some successful testing with the SecretManagement.KeePass (0.9.2) extension on my private machine.
Now we are bringing the items into our environment, it appears that there is an dependency on PSFramework.
How can the security of the 3rd party modules be guaranteed/trusted?
See also: #184 Can extensions be trusted?
All the modules are open source, you can review them yourself. You also can "pin" your dependencies so that you never pull a newer version without review.
Otherwise unless you want to sponsor me, this is a "best effort" open source project, it is not a commercial module with a team constantly reviewing and scanning for vulnerabilities.
Hello Justin,
Thanks for the answer.
No offence, I am sure that are only good intentions in your open source project.
The "trust" thoughts where I am dealing with: the owner of the SecretManagement (Microsoft) has quiet a lot to lose if there is a leak somewhere (besides, there are a lot of eyes looking in what they are doing). The responsibility of an opensource writer is a lot less "All the modules are open source, you can review them yourself". I do have some Open Source projects myself and e.g. I do care less for e.g. a breaking change that then Microsoft (or the PowerShell team) does.
But this concerns Secret data and therefore I would control the code at the highest (SecretManagement) level or at least at a extension level (SecretManagement.KeePass) and not include further (module) parties.
@iRon7 you are free to not use this module if you do not trust it as a pinned dependency. I'll happily give back the money you paid for it :)
PSFramework is managed/written by Fred. Fred is working for Microsoft. He's also a trusted member of the PowerShell community. After downloading, review the code, and use Justin's module along with the PSFramework module that you reviewed on your own trusted platform (aka internal PSGallery). This will give you a trust that you only run trusted code (already reviewed). Then every time there's a new update by Justin or Fred you go thru the process again and again.
Otherwise, your only choice is to write things yourself - good luck with that :-)