Trust But Verify

  • Comments posted to this topic are about the item Trust But Verify

  • I like CLR! Imagine all the possibilities...
    I don't like CLR! Imagine all the possibilities...

  • thierry.vandurme - Tuesday, December 18, 2018 1:21 AM

    I like CLR! Imagine all the possibilities...
    I don't like CLR! Imagine all the possibilities...

    http://www.sqlservercentral.com/stairway/105855/ dispels most of the myths

  • When building a Hadoop stack we ran into a lot of problems with different versions of the components not talking to each other.  That is why Hortonworks, Cloudera and MapR exist, to provide the guaranteed version matching of the disparate components.

    In terms of upgrading anything in the Hadoop stack we took the approach of having a local repository.  This meant that the stack was always built from known, tested versions of the software in the local environment and not from whatever was most current from the internet.
    As a separate repo we DID pull the latest stuff from the internet and this went through a rigorous testing cycle to ensure that version compatibility issues were thrashed out, penetration testing was done etc.  Only when all this was done would the contents downloaded from external sources be allowed into the local repository.  This also reduced the attack surface area as the number of routes and ports to the main system could be greatly reduced.
    I don't know if this approach can be taken with Node.JS but I would be surprised if it couldn't.

  • David.Poole - Tuesday, December 18, 2018 1:38 AM

    thierry.vandurme - Tuesday, December 18, 2018 1:21 AM

    I like CLR! Imagine all the possibilities...
    I don't like CLR! Imagine all the possibilities...

    http://www.sqlservercentral.com/stairway/105855/ dispels most of the myths

    Thanks Dave. Did some testing in the past and I was able to gain sysadmin permissions, if I remember correctly (been a while) I ran sqlcmd -E from within my CLR procedure gaining access to SQL under it's service account.
    I'm vary wary of it, especially if it's untrusted 3rd party components for which we don't have the code

  • We use NuGet a lot for .NET development. Love it. We've talked about setting up a NuGet server, so we could deploy our own packages in-house. I know this is a bit off-topic, but where I work now my boss doesn't like to use third party tool suites, like Telerik. He'd rather we rolled our own. Guess he must have been bit in the past with some third party toolkit.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • One of the seminal papers on this is Ken Thompson's "Reflections on Trusting Trust".  https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
    It sends a shiver up my spine every time I read it, but there has been a lot of interesting stuff written about it in the past 34 years, so I recommend doing some Googling and reading!

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply