►
From YouTube: Conan.Io – Lessons Learned from Securing 40,000 C++ Packages - Diego Rodriguez-Losada Gonzalez
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Conan.Io – Lessons Learned from Securing 40,000 C++ Packages - Diego Rodriguez-Losada Gonzalez, JFrog
Supply chain security needs are at an all-time peak, since attackers are now massively targeting developers through their use of package repositories such as npm and PyPI. Conan.io, the open-source package manager for C and C++, currently houses more than 11 million binaries built by user-submitted recipes, but managed to have 0 security incidents since its inception, despite its extremely wide reception (15TB of monthly transfers). In this session, Diego (Conan's co-creator) will share how he and his team has managed this incredible feat by utilizing automated quality checks, compiler security mitigations, package signing, a secure build pipeline and an extremely strict and efficient review process, even when faced with more than 9000 pull requests in the last two years.
A
Great
so
my
name
is
Diego
I'm,
not
a
security
specialist,
okay,
but
I
am
Conan
co-founder
so
I'm
going
to
tell
here
my
story
here.
Please
be
be
kind
to
me
because
I'm
trying
to
explain
how
we
our
modest
approach
to
secure,
Conan,
Center,
hey,
please
raise
your
hands.
Who
knows
what
is
Conan?
Raise
your
hand
if
you
know
it,
one
person,
two
people,
okay,
okay,
perfect!
So
according
is
the
missing
link.
It's
something
that
we
have
been
missing
in
C
plus
for
decades
is
a
package
manager
for
CNC
plus
it
is
open
source.
A
It
is
decentralized,
it
is
a
multi-platform.
It
works
in
every
every
operating
system
with
any
build
system
and
is
very
mature
and
reliable
and
stable
I'm
going
through
those
show
Numbers.
Here,
for
example,
we
have
been
designated
as
one
of
the
one
percent
critical
IPI
projects.
You
know
that
what
that
means
we
have
we.
It
is
downloaded
a
ton
of
times
because
currently
itself
is
a
python
tool,
so
we
put
it
in
the
in
the
by
by
python
package
index
in
the
C
plus
plus
language,
a
slack
team.
A
A
We
have
a
dedicated
team,
10
people
sponsored
by
jfrog
as
maintainers
of
the
Conan
project,
and
there
are
many
thousands
of
companies
using
Conan
in
production.
This
is
the
number
of
artifactory
servers
that
we
know
those
that
are
not
behind
a
firewall.
Those
that
we
get
at
the
Telemetry
is
ranking
last
year
was
ranking
around
8
000
companies
or
teams
using
Conan.
That
means,
of
course,
a
lot
of
support
tickets.
We
got
a
lot
of
feedback
from
them.
Hundreds
of
video
calls
a
lot
of
support.
A
A
That's
that
every
one
of
those
things
is
a
new
different
binary
and
can
manage
all
of
them.
This
is
the
way
that
these
binaries
are
created.
We
have
a
recipe,
it's
a
DSL
on
top
of
python
that
describes
how
a
package
is
built
from
sources
and
what
does
a
package
contain
and
together
with
the
recipe,
it
goes
according
data.gml
that
can
be
used
to
put
some
data
like
the
URLs
and
the
and
the
checksums
of
the
turbos.
A
That
is
going
to
download
to
to
build
those
those
packages
and,
from
the
architecture,
point
of
view
currently
decentralized.
So
you
can
easily
have
your
own
server.
We
have
an
artifactory
communication,
which
is
completely
free
for
C,
plus
plus
okay,
so
you
can
have
the
whole
stack,
the
current
client
and
the
server
for
free,
and
you
can
put
your
own
private
packages
in
your
artifactory
server
and
get
them
from
there.
A
And,
besides
that,
we
also
have
a
central
repository
as
npm,
for
example,
which
we
call
Conan
Center
Colon
Center
is
the
place
where
we
host
the
third
party
open
source
packages.
Those
are
contributed
by
the
community,
but
we
maintain
the
infrastructure
and
we
run
the
repo
to
give
also
some
ideas
about
what
is
Conan
Center
Corner
Center
contains
nowadays
1400
recipes
for
each
one
of
these
recipes.
It
can
contain
a
number
of
versions
for
every
different
versions.
A
It
can
contains
different
revisions
that
happens
with
you,
do
a
change
to
the
recipe,
but
you
don't
actually
bump
the
the
version
of
the
of
the
underlying
library
and
for
every
single
revisions.
We
are
building
up
to
130
different
binaries
for
Windows
Linux
Mac
different
flavors
of
the
compilers.
As
you
can
see,
this
is
a
big
infrastructure.
A
A
So
this
is
basically
what
is
Corner
center
console
that
contains
two
parts.
The
first
one
is
the
package
system.
It's
a
system
when
we
are
creating
the
packages
from
Source
everything
starts
from
a
GitHub
tool
request.
We
built
the
package,
we
store
the
packages
and
we
serve
the
packages.
So
the
Conan
client
can
do
a
common,
install
and
get
the
packages
from
the
from
the
servers,
and
this
is
goes
together
with
a
web
with
a
web
application
that
we
can
use
to
navigate
and
explore
and
discover
these
these
packages.
A
The
package
system
is
is
a
CI.
We
are,
we
are
using
Jenkins
here
and
we
are
using
the
different
agents,
Windows
links
and
Mac
agents
here
to
build
the
things
we
put
the
binaries
in
an
artifactory
Ripple,
and
then
we
put
a
Google
CDN
on
front
of
that
for
for
scaling,
and
the
web
system
is
a
typical
web
application.
We
are
getting
the
metadata
from
the
packages
that
are
already
in
the
artifactory
server.
We
get
them,
we
crawl
them,
and
then
we
extract
the
license.
A
The
version,
all
the
things
that
we
need
and
we
put
them
in
some
storage.
Basically,
Google
storage
and
a
postgres
database
and
we
serve
them
through
a
fast
API
and
next
is
a
very
standard
web
application
from
that
application.
We
we
have
this.
This
is
the
front
end
of
of
Conan.
Center,
as
you
can
see,
is
relatively
simple.
It
displays
the
packages.
One
important
thing
here
is
that
it
doesn't
have
any
authentication
users
don't
need
to
to
log
into
this
system.
It's
a
read-only,
it's
a
read-only
page.
A
So
that
means
from
the
security
point
of
view
the
web
part
of
corner
Center
is
very
secure.
We
are
not
concerned
about
it
at
all.
Maybe
you
can
get
into
it,
but
even
if
you
do
it
the
information
there,
the
database
information
is
absolutely
public.
It's
something
that
you
can
get
from
the
packages
that
you
can
get
from
Conan
Center.
So
it's
not
that
we
are
hosting
any
sensitive
information
or
anything
like
that.
A
As
you
can
imagine,
our
major
concern
is
about
the
package
creation
process
because,
yes,
we
have
these
Jenkins.
This
is
the
first
liability
here,
so
we
put
the
Jenkins
absolutely
in
a
VPN.
You
cannot
access
anything
from
from
Jenkins
from
the
outside,
but
you
are
still
processing
the
the
pull
request
from
GitHub,
and
this
is
the
main
attack
Vector
for
for
Conan
Center,
of
course.
A
A
The
first
one
is
a
user
check,
so
the
users
when
they
do
a
pull
request
to
Conan
Center
repo
and
they
first
they
need
to
to
sign
the
CLI.
They
are
actually
transferring
the
copyright
of
their
contributions,
and
then
James
is
the
first
thing
we'll
do
is
check
the
GitHub
username.
It
contains
an
allow
list.
If
the
user
is
not
in
this
allow
list,
the
pull
request
will
not
be
processed
at
all.
We
don't.
We
don't
build
anything,
and
the
users
can
request
access
for
this.
A
A
Then
the
second
stage,
even
if
you
are
an
authorized
user,
the
second
stage
is
static
analysis.
So
we
get
the
diff
from
the
pull
request
and
we
we
have
several
tools
there,
that
analyze
that
div
and
we
check
things,
for
example,
that
if
the
pull
request
is
doing
a
version
bump,
because
it
only
changed
the
content
data
jaml
file
with
the
specific
URLs
we
check
the
URLs,
we
check
the
checksums,
we
check
everything.
This
is
looking
good
and
then
we
annotate
it
as
a
as
a
version
bump.
We
can
detect
also
things
like
hey.
A
This
is
a
dependencies
bump
which
can
check
the
consistency
of
the
quantitative.dml.
So
everything
that
we
can
check
with
a
with
adif
analyzing
the
file
is
there
before
building
anything
is
done.
We
check
that
the
users
are
not
touching
in
any
folder,
for
example,
the
configuration
folder
that
we
have,
we
have
very
little,
but
we
have
something
they
are
not
allowed.
Of
course
of
modify
anything.
If
they
are
touching
the
configuration
folder,
then
the
the
pull
request
stops.
A
Then
the
next
stage
are
some
quality
checks
we
have
here.
We
are
using
two
tools
here.
We
are
using
first,
the
GitHub
GitHub
actions
and
we
are
using
some
LinkedIn
there.
Okay,
it's
not
a
strict
security
measure,
but
if
you
are
doing
something
weird,
it
is
likely
that
this
this
quality
checks
might
raise
an
an
area.
If
you
are
doing
I,
don't
know
trying
to
obfuscate
something
or
something
a
linter
can
can
easily
say
Hey.
A
You
are
doing
something
weird
here
and
then
we
will
have
some
some
insights
about
that,
and
also
in
the
Jenkins
side,
we
are
running
some
of
our
quality
checks
that
Bitcoin
hey.
For
example,
they
check
that
the
recipe
itself
doesn't
contain
any
URL,
for
example,
or
it's
not
trying
to
do
whatever
you
get
or
it's
not
trying
to
do
something
that
is
trying
to
connect
to
the
to
the
outside.
So
we
run
also
some
quality
and
Security
checks.
There.
A
Then
we
get
to
the
bills
when
we
are
actually
sending
the
job
to
the
to
the
bill
agents
and
they
need
to
start
building,
and
this
is
the
first
thing
that
is
a
bit
more
more
delicate
because
so
far
we
have
been
using
temporary
ports.
So
everything
that
has
been
running
so
far
runs
in
a
in
a
pod
that
is,
is
created
on
the
Fly
and
is
destroyed
after
so,
even
if
you
get
access
to
that
Port,
it
will
be
a
completely
isolated.
A
A
We
have
automated
those
machines,
so
we
are
using
ansible
and
we
can
periodically
rebuild
those
machines
in
case
something
goes
wrong
not
only
because
of
security
just
for
or
our
own
sanity,
because,
as
you
can
guess,
maintaining
this
infrastructure
at
scale
for
Windows
and
OS
X.
It
is
not
that
as
nice
and
kubernetes,
so
we
do
it,
but
we
also
use
it
as
a
measured
way.
Let's,
let's
build
these
machines
from
time
to
time,
so
they
are
fresh
and
they
are
and
they
are
clean
in
that
step.
We
also
do
some
some
binary
checks.
A
This
bill
is
actually
building
the
binaries,
so
we
have
some
hooks
there
that
will
check
hey.
You
said
that
you
were
building
a
third
library.
Is
there
an
actual
dll
Library
here
are
the
I'll
say
I'll,
say
the
magic
numbers
of
the
dealer,
whatever
whatever
we
can
check
about
these
binaries
created?
We
also,
we
also
checked
the
artifact
that
has
been
built,
and
finally,
everything
that
is
built
at
this
stage
is
put
in
an
independent,
isolated,
artifactory
repo
that
is
created
on
the
Fly,
for
this
specific
pull
request.
A
A
And
finally,
the
manual
review
we
require
these
for
anything
to
be
merged
into
Conan
Center
and
we're
required,
in
this
case,
two
positive
reviews,
one
review
from
the
from
our
official
reviewers.
These
are
people
that
we
have
selected
from
the
community
like
heavy
contributors
to
Conan
Center
people
that
we
have
been
talking
to
them.
We
have
been
doing
video
conferences
with
them
and
we
meet
them.
A
So
we
put
them
in
an
allowed
list
and
we
made
them
official
reviewers,
so
they
can
do
a
positive
review
and
that
counts,
and
then
it
also
requires
a
positive
review
from
a
maintainer,
and
this
is
the
stage
where,
where
the
the
reviewers
will
will
care
for
hey,
let's
do
the
due
diligence
of
what
is
happening
here
and
they
will
do
checks
that
are
otherwise
difficult
to
automate,
for
example,
is
the
URL
that
is
being
used?
The
real
URL
of
the
project
is
the
checksum.
There
is
everything.
A
Correct
is
using
a
some
recipes
might
be
using
mirror,
for
example,
because
the
network
might
be
flacky
or
the
original
source
is
also
a
bit
a
bit
unstable.
So
if
there
are
mirrors,
we
need
to
check
the
mirrors
as
well,
so
everything
that
a
developer
will
will
do
is
done
at
this
stage
and,
finally,
when
everything
is
good,
when
everything
is
clean
only
at
this
stage
they
merge
and
promote
mechanism
kicks
in.
A
Here
again,
we
are
in
a
in
a
new
in
a
new
temporary
Port,
because
this,
this
port
is
the
one
that
has
access
right
access
is
the
only
one
in
the
whole
system
that
has
right
access
to
the
final
artifactory
Ripple.
That
is
the
production
report
for
for
Conan
Center.
So
this
is
basically
a
product
that
is
using
the
artifactory
API
to
copy
to
promote
packages
from
the
pull
request
repo
to
the
final
production
report,
which
is
typical,
good
practice
for
packets
management
at
a
scale
in
any
in
any.
A
In
any
case,
besides
all
these
review
process
and
and
contribution
process,
we
try
to
follow
also
other
best
practices,
so
everything
that
we
can
restrict
permissions.
We
do.
We
use
two-factor
identification
everywhere
for
every
service
that
you
we
can
do.
Every
single
piece
of
the
system
is
as
related
as
possible.
It
was
mentioned
before,
but
our
images,
if
we
can
do
something
in
an
image
that
doesn't
have
a
cell
at
all
and
it's
just
running
some
command
or
something
we
do
it.
We
try
to
maintain
things
as
minimal
as
possible.
A
We
store
lots
of
everything
GitHub
as
a
record.
This
sounds
easy,
but
it
is
actually
cool.
It
doesn't
matter
once
you
are
using
GitHub
pull
requests
as
a
mechanism,
you
do
a
pull
request
and
it
stays
there.
You
cannot
remove
it.
You
can
remove
the
source
code,
but
the
pull
request
itself
stay
there.
So
you
cannot
do
something
try
to
remove
because
it
can
maintain
that
information
there
and
we
try
to
maintain,
of
course,
everything
all
the
pieces
there
updated
to
the
latest
versions.
A
But
let's
say
that
at
some
point
you
got
access
into
our
system
right
and
then
you
manage
to
create
some
malicious
packages
of
popular
C
plus
plus
libraries.
Let's
say
that
you
infected
boosts
or
open
SSL,
or
certainly
there
and
you
put
them
in
artifactory
Conan
Center
in
the
actual
production,
repo.
Okay.
This
is
really
bad
news,
but
probably
it's
not
as
bad
news
as
you
expected,
if
you,
if
you
thought,
a
I'm
gaining
access
to
all
those
cool
companies,
Fortune
100
companies
using
Conan
in
production
that
Diego
was
telling
before.
No.
A
This
is
not
the
case
and,
as
you
can
get,
C
plus
plus
is
probably
different
to
all
the
other
ecosystems
out
there
before
you
guys
been
commenting
about
other
other
languages
and
other
package
managers
and
Corner
was
not
there.
It
hasn't
been
that
concerned
that
far
C
plus
plus
is
different.
The
community
has
been
doing
different
things
for
decades
because
they
didn't
even
have
a
package
manager
in
this
case,
80
percent.
Eighty
percent
of
the
users
are
not
using
Conan
Center
binaries
in
production
at
all.
A
Okay,
there
are-
and
this
is
goes
proportionally
also
with
the
size
and
the
value
of
the
company.
If
you
are
one
of
those
big
companies
that
are
using
Conan,
I
can
tell
you
that
they
are
not
using
the
coins
and
their
binary
simulation.
None
of
them
are
using
them.
Okay,
so
the
metrics
that
we
saw
before
they
are
just
from
the
20
of
users
that
are
actually
using
those
binaries
in
production.
Typically,
hobby
users
startups
small
companies,
small
teams
exploration,
typically
trying
out
things,
but
not
in
production.
A
So
what
are
these
companies
doing
is
something
that
should
be
done
for
every
package
manager.
It
was
commented
before
in
a
previous
talk,
so
one
of
the
approaches
that
approximately
20
of
the
users
are
doing
is
they
are
copying
the
binaries
from
Conan
Center.
They
do
a
copy,
a
control
copy.
Typically,
a
developer
does
some
some
audit
process.
They
check
hey
I'm,
getting
this
version
and
then
I'm
copying
it
into
my
own
artifactory
instance,
and
they
they
cut
access
to
the
to
the
Conan
Center
completely,
and
they
even
have
many
of
them.
A
You
probably
don't
imagine
because
in
other
words
is
unthinkable,
but
many
of
these
companies
they
have
a
process,
they
have
a
meeting
to
be
able
to
upgrade
Boost
from
one
person
to
the
other
okay.
So
it's
not
something
that
happened.
Hey,
let's
just
get
the
latest
version
of
of
the
Boost
library
from
packet,
so
they
have
this
control
copy
from
time
to
time
and
that
time
might
be
two
months.
A
Some.
Maybe
it's
not
best
for
today
get
the
latest
a
newest
version
for
for
a
library,
but
it's
very
secure
from
the
supply
chain
attack
point
of
view
because
those
binaries
they
are
not
easily
getting
into
their
organization
and
even
though
that
was
only
20
of
the
users
60
of
the
users
and
all
of
the
important
ones
they
are
doing
this.
They
are
building
the
packages
from
sources.
They
are
actually
doing
the
due
diligence
over
the
Conan
recipes
and
they
are
building
the
binaries
from
source,
and
we
are
very
happy
about
this.
Owning
your
own.
A
A
Conan
Center
contains
the
recipes
instead
of
a
readme
that
it
automates
how
a
library
is
built
from
source
for
Windows
for
Linux
for
mac,
and
that
is
super
valuable
and
then
Conan
can
automate
hey
you
create
the
binaries,
I
short
the
binaries,
and
then
you
don't
need
to
rebuild
them
from
Source.
I
will
be
serving
you,
your
own
binary
that
you
created
for
all
the
next
build
that
you
that
you
are
doing.
A
A
First,
we
have
been
checking
hey
out
of
the
Conan
Center
binaries,
the
best
they
can.
They
can
be,
for
example,
because
GCC
is
not
activated
by
default,
some
some
compiler
flags
that
are
considered
to
be
secured
and
are
considered
to
be
a
good.
A
good
practice
for
security,
and
by
default
they
are
not
active.
So
we
have
been
checking
these
things
and
we
are
starting.
A
We
implemented
a
way
to
inject
these
compiler
Flags
to
any
build
system,
because
Conan
Center
contains
packages
that
are
built
with
cmake
or
with
Meson
or
without
the
tools
so
corner
now
now
knows
how
to
inject
compiler
flags
for
every
project
that
it
contains.
So
in
this
way
we
can
inject
The
f-stack
Protector
strong
flag
and
in
an
easy
way
that
both
Conan
Center
can
do
it
and
the
users
that
are
building
from
Source
the
binaries.
They
can
also
do
it
and
start
to
use
this.
A
This
practices
by
default
is
not
always
possible
because
some
things
change
the
ABI,
the
binary
compatibility.
In
this
case,
we
are
not
doing
that,
but
we
have
investigated,
which
ones
does
and
what
not.
We
have
also
been
implemented
package
signing,
not
only
because
it's
important
to
know
the
authority
and
having
the
practices
Integrity
value,
but
also
because
the
ecosystem
is
also
becoming
a
bit
better.
There
are
other
providers
that
they
want
to
start
and
even
companies
that
they
are
starting
to
distribute.
Quantum
packages
to
their
own
customers
at
the
same
time.
A
So
if
the
system
is
becoming
more
Federated,
then
he
is
becoming
more
important
to
know
the
origin.
Who,
who
is
this
package
from?
Is
this
package
signed?
And
so
this
is
what
we
have
been
adding
so
in
this
case
for
corner
to
zero,
because
it's
a
breaking
change,
we
couldn't
do
it
in
Quantum,
one
which
is
the
current
version.
We
added
a
package
signing
plugin
a
way
that
anyone
can
sign
their
packages
with
the
tools
they
want
is
basically
implementing
those
two
functions
there.
A
One
the
sign-in
function
is
called
when
you
are
uploading
packages,
because
developers
can
create
packages
locally
all
the
time
they
don't
want
to
be
signing
all
those
packages,
so
packages
are
assigned
at
upload
time
and
packages
are
verified
when
you
are
downloading
them
from
the
servers.
So
we
have
these
two
extension
points
you
implement
them
and
then
it
works.
We
sign
everything
we
sign,
not
only
the
binaries,
but
if
you
recall,
iOS
78,
the
recipe
itself
is
an
artifact
that
this
is
stored
in
in
the
server
as
well.
A
So,
even
if,
for
someone
reason
you
didn't
upload
the
binaries,
the
recipe
is
also
signed
as
well,
and
we
besides
the
plugin
which
is
built
in
we,
are
also
providing
a
reference
implementation
with
zip
store.
Okay,
we
are
using
the
recore
and
it's
an
implementation
that
is
very
easy
to
configure.
You
only
need
to
call
Conan,
config
install
and
then
a
URL
of
the
repo,
and
then
you
get
this.
This
Secret
store
sign
in
plugin.
We
will
use
it
in
corner
Center,
Conan
Center
packages
once
colon
to
zero
is
finally
out
and
unstable.
A
A
Conan
only
only
has
1400
recipes
different
different
packets,
plus
the
number
of
versions
plus
the
number
of
binaries
is
not
is
not
that
huge
compared
with
the
number
of
different
packets
that
the
npm
can
contain,
for
example,
but
it
is
also
true
that
we
also
have
for
because,
from
the
full
content
team,
only
four
people
are
working
in
Conan,
Center,
okay
and
the
number
of
official
official
reviewers
is
15
official
reviewers.
So
it's
also
a
small
numbers
so
far,
and
this
is
not
a
cold
to
be
hacked
okay,
we
have
had
no
security
instance.
A
Okay.
It
is
true
that
some
of
the
easy
security,
the
incidents
that
other
other
systems
have
had
in
the
past
like,
for
example,
the
color
dot.
Yes,
even
if
the
the
package
Creator,
even
in
the
library
owner,
wants
to
hijack
their
own
Library,
it
is
not
possible
because
one
thing
is
the
library,
and
one
thing
is
the
recipe.
The
pull
request
that
you
need
to
do
to
connect
Center
to
have
your
recipe
include
that
process
by
the
way.
Probably
it
was
not
that
clear
before,
but
that
is
also
running
a
test
of
the
package.
A
If,
for
some
reason
you
are
putting
the
the
colors
yes
in
an
infinite
Loop,
then
it's
going
to
block
the
the
construction
of
the
package
will
fail.
Okay,
something
that
our
pipeline
would
easily
capture
and
will
easily
block,
even
even
for
the
library
author
laborator
cannot
do
that.
Okay,
a
the
same
for
for
for
other
attacks.
If
even
if
someone
is
able
to
to
gain
access
to
the
GitHub
user
of
some
contributor
that
has
already
accessed
their
pull,
requests
are
going
to
be
reviewed,
no
matter
if
they
contribute
to
the
original.
A
So
the
question
here
is:
is
this
something
that
is
worth
to
be
considered
for
other
Technologies,
because
honestly,
some
other
Technologies
has
been
super
great
I'm,
a
happy
users
of
them.
But,
let's
be
honest,
is
they
are
not
very
secure,
so
something
has
to
be
done.
I
think
IPI
has
started
to
do
something
with
a
one
percent
of
critical
projects
and
asking
us
to
use
two-factor
authentication
to
be
able
to
upload
our
own
packages.
So
we
cannot
be
hijacked
and
someone
can
upload
a
Conan
client.
A
That
would
be
a
disaster
on
our
behalf
because
they
gain
access
to
our
account
okay.
So
this
is
a
first
step,
but
is
the
review
process,
something
that
is
is
doable
at
a
scale.
I
think
Maven
has
done
something
like
related,
but
the
other.
Maybe
it
is,
as
also
has
been
commented
before,
I
think
the
docker
images
this
this
morning,
all
the
central
package
management
they
follow
operator
distribution
in
our
case
I,
can
give
I
can
tell
you
that
from
that
1400
recipes
only
100
recipes.
A
A
Okay
and
to
finalize
how
what
has
been
our
approach
for
Corner
Center
security
is
just
a
simple
one:
it's
a
very
constrained
process.
We
only
accept
packages
from
sources
from
pull
requests.
We
have
a
lot
of
automation,
we
do
lots
of
automated
checks
and,
of
course,
best
practices
around
our
system
to
be
secure
and
we
have
a
manual
review
process
with
due
diligence
of
what
is
happening
there.
A
Okay,
we
keep
constantly
working
on
that
in
our
future
is,
is
we
are
going
to
deploy?
It
has
been
already
implemented,
but
the
package
signing
and
robots
Define
the
binaries
is
already
there.
It
will
be
part
of
after
2-0.
Sometime
soon
we
will
build
more
user
Gates
checking
who
is
doing
pull
request
to
Conan
Center
deactivating
accounts
when
they
are
not
active.
Doing
I
say
how
many
months
old
is
a
GitHub
account
before
getting
before
giving
them
access.
We
are
going
to
automate
those
checks
that
sometimes
are
manual
too.
A
We
are
creating
s-bombs,
we
have
been
creating
artifactory
build
info,
which
is
proprietary
for
for
artifactory,
but
the
s-bomb
is
a
standard
and
we
will
create
them,
so
it
can
be
also
integrated
with
other
security
tools,
and
it
has
been
working
for
Conan
so
far,
great
because
yeah,
the
ecosystem
scale
is
manageable
for
us,
okay,
and
also
because
Building
C
plus
plus,
is
so
challenging
that
if
you
want
to
hack,
you
want
to
gain
reputation
in
our
system.
You
are
going
to
have
to
work
a
lot
before
you.
A
You
become
a
popular
contributor
to
Corner
Center.
You
are
going
to
have
to
build
a
few
C
plus
libraries,
third
party
libraries,
and
that
is
challenging
it's
way
more
challenging
than
throwing
an
attack
to
npm
or
Pipi,
and
within
that
this
is
something
that
can
be
a
scale
and
is
something
to
be
considered
for
other
communities
it
can
be
done,
is
working
great
and
something
has
to
be
done
in
our
opinion.
A
And
thank
you.
If
you
want
any
more
information
about
this,
you
can
go
to
the
current.io
page
and
if
you
find
something,
we
also
have
a
back
Bounty
program.
So
that's
the
the
URL
as
well.
Please
submit
your
your
findings
there
and
if
someone
wants
to
reach
me
or
talk
to
me,
I
will
be
here
after
the
session
as
well,
and
that
is
my
Twitter
handled
on
hesitate
to
write
to
me
too.
Thank
you.
B
Hi
there
a
very
interesting
talk.
Thank
you.
So
it's
too
bad
I
have
a
two-part
question,
but
I'll
just
ask
the
first
I'll
make
a
comment.
First
about
the
first
one,
that'll
move,
the
second
one,
which
is
a
while
ago,
I
pointed
out
a
bunch
of
problems
with
Linux
package
managers
which
led
to
them
using
a
different
signing
model
and
one
community
that
didn't
do.
This
was
slackware
because
they
said
everyone
could
just
download
and
read
the
source
for
themselves,
and
that
did
not
turn
out
well
for
them.
So
that's
my
first
aside.
B
The
second
question
is:
have
you
heard
of
the
underhanded
C
code
contest,
and
do
you
understand
how
easy
it
is
for
people
to
write
code
that
looks
legitimate,
especially
in
C
and
C,
plus
plus,
and
get
it
past
code
review,
because
there's
been
a
lot
of
work?
That's
shown
that
that's
not
particularly
difficult
to
do.
Yeah.
A
Yeah
exactly
so,
that's
that's
a
good!
That's
a
good
question.
I've
been
a
c
plus
developer
for
four
decades.
I
I
know
how
it
is
so
the
thing
is,
we
are
not
doing
any
due
diligence
on
the
C
plus
plus
code
itself.
If
the
library
author
is
doing
something
that
is
really
nuts
in
their
C
plus
plus
code,
they
are
going
to
be
able
to
obfuscate
up.
We
can
control,
let's
say
from
the
origin,
the
URL.
A
This
is
the
official
review,
the
official
point
of
source
of
that
URL
and
to
the
final
point,
it
is
like
they're
going
something
really
weird
they
are
trying
to
escape.
They
are
trying
to
do
like
remote
codes
to
some
place,
it's
possible
that
something
will
break
in
the
bill
because
we
are
running
it.
Actually,
it's
not
the
same
as
running
in
a
developer
machine
which
those
chains
will
be
typically
targeted
too.