search

potatoqualitee / kbupdate

🛡 KB Viewer, Saver, Installer and Uninstaller
MIT License
324 stars 48 forks source link

Open source project that uses closed source DLLs? #221

Open mjmeans opened 1 year ago

mjmeans commented 1 year ago

Where are the sources for all the DLLs? How can I be absolutely sure the DLLs in this project haven't been modified?

mjmeans commented 1 year ago

I just want to add a little more. Since this script can require administrator privileges, extra care should be taken to assure any pre-complied libraries are clean. This can be done by 1) Provide the SHA256 that can be compared to an SHA256 published authoritative source; 2) Document where to download the libraries manually from an authoritative source; or, 3) link to the source code so they can be manually built.

It's fundamentally dangerous to give administrative access to an executable with an unknown provenance or that disclaims liability.

codaamok commented 1 year ago

I could be mistaken but I believe the libraries come from a dependent module and are from the WSUS RSAT tools, or part of the WSUS installation.

Most code on the Internet doesn't provide warranty or liability, so the onus is on you to ensure security for you use case of the code in your environment. If you have concerns or it doesn't meet your standards, don't use it and roll your own solution.

mjmeans commented 1 year ago

I never said nor implied there was a warranty or liability. I'm pointing out the dangers of this and other repos that include precompiled binaries that cannot be readily verified by the end user. It's common for repos, at least in the professional server realm, to have SHA256 verifications on all the precompiled binaries.

My suggestion for this project is:

1) for the authors to add a verification script and txt file containing the SHA256 of each of the precompiled binaries so the script can be run to verify after installation to assure that none of them have been corrupted by malware at any point along the way to the end-user's system, or by malware on the end user's system.

2) add documentation to this project identifying the version and source of each precompiled DLL as well as text of the SHA256 for each one separately from the scripted verification in order to mitigate a potential for an automated corruption of the verification script.