Rclone as a member of the software supply chain

kahomono · October 6, 2022, 7:44am

How do we know this is safe to use?

Understand: I love this tool. It's become a vital part of my workflow. And that's exactly why I am asking.

I note that the github Security Policy is disabled, and there are no Security Advisories that have ever been published.

What are the basic precautions you guys have been taking?

Or - could you use a volunteer with CISO-ish skills and background to build out a plan?

ncw · October 6, 2022, 8:14am

You'll find two CVEs about rclone very easily: Rclone : Security vulnerabilities

What sort of thing did you have in mind?

kahomono · October 6, 2022, 8:33am

Yes
That's not what I'm talking about - security flaws in the product are probably inevitable.
I'm talking about a set of processes where rclone contributors are encouraged to adopt practices that will tend to protect the integrity of rclone's repo itself. 2FA on all new access, for example. Proper controls on who can perform sensitive operations on the repo itself, and some process to allow them to be verifiable and even auditable if need be. And so on.

I can provide my bona fides for being able to do this, and able to be trusted to. I will send contact info.

system · December 6, 2022, 4:33am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.