search

ossillate-inc / packj

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
https://packj.dev
GNU Affero General Public License v3.0
647 stars 36 forks source link

Source code? #67

Open pombredanne opened 1 year ago

pombredanne commented 1 year ago

Hi: I would love to test this tool (I happen to have a few commits in strace) but I cannot trust this non-open source binary plug at https://github.com/ossillate-inc/packj/blame/4797939a09e5fb113d60577515044e905afd4fa0/packj/sandbox/README.md#L142

You wrote:

We are not ready to immediately open source this small piece yet. This is NOT to implement security by obscurity, but to avoid easy copy-and-reuse scenarios. The rest of the tool is completely open; this piece will be too, eventually.

When will you make this open source?

ashishbijlani commented 1 year ago

We will try to do this soon, but may not happen before the end of the year. However, you could easily write your own strace-based checks and disable loading of the shared library.

pombredanne commented 1 year ago

Fair enough! though would you mind to reopen and keep this open until it is fixed?

ashishbijlani commented 1 year ago

Sure. Just reopened this.