Installing Google Cloud SDK on Linux according to the directions on https://cloud.google.com/sdk/docs/install reveals supply-chain security lapses in the building and distribution.
The root/root ownership is a supply-chain security lapse because building and/or distributing as root offers the possibility of unnecessary access to an intruder. Never build as root with superuser privileges. Always use a user and group with ordinary non-privileged access permissions. Call the names GCloudBuilder/GCloudGroup, or something. And yes, the password should be secure and rotated monthly or quarterly.
The use of 1980-01-01 00:00 as date+time also is a security lapse. Actual date+time of build is important information in tracking installation history, including during and after an intrusion, as well as for identifying ordinary updated release versions.
Installing Google Cloud SDK on Linux according to the directions on https://cloud.google.com/sdk/docs/install reveals supply-chain security lapses in the building and distribution.
The
root/rootownership is a supply-chain security lapse because building and/or distributing as root offers the possibility of unnecessary access to an intruder. Never build as root with superuser privileges. Always use a user and group with ordinary non-privileged access permissions. Call the namesGCloudBuilder/GCloudGroup, or something. And yes, the password should be secure and rotated monthly or quarterly.The use of
1980-01-01 00:00as date+time also is a security lapse. Actual date+time of build is important information in tracking installation history, including during and after an intrusion, as well as for identifying ordinary updated release versions.