has GnuCash code been reviewed for security?

Derek Atkins derek at ihtfp.com
Thu Nov 9 09:51:37 EST 2017 

Hi,

Please be sure to CC gnucash-user on all your replies using your
mailer's Reply-To-List or Reply-All functionality.

You're now getting more into topics for the development list and not the
user list, but suffice it to say that GnuCash is NOT a security
application, it is a financial application.  You should treat it as
such.  The developers work hard to ensure that the program wont crash
based on bogus inputs, but of course bugs still happen.

Any further development-related question should be redirected to
gnucash-devel.

Thanks,

-derek

Marcus Winston <marcus at thechocolatehouse.net> writes:

> OK, sure. That's fine. 
>
> So Gnucash takes as input data from some other program that has connected to
> the internet. Does GnuCash validate this data before accepting it as input?
> (one example of a security protection). Does GnuCash manage its own input
> buffers or does it allow the external program to manipulate the buffers (the
> latter being a security risk). Just a couple examples.
> -marcus
>
> On Wed, Nov 8, 2017 at 5:56 PM, Derek Atkins <derek at ihtfp.com> wrote:
>
>     None of that happens in gnucash..  That is all done by GnuTLS, controlled
>     by AqBanking.
>    
>     -derek
>     Sent using my mobile device. Please excuse any typos.
>    
>     On November 8, 2017 8:54:36 PM Marcus Winston <
>     marcus at thechocolatehouse.net> wrote:
>    
>         I'm thinking mainly of the connection to banks, downloading
>         transactions. I assume its done over https or something similar. Has a
>         code review of that portion been conducted, to make sure it's secure
>         (at least, as secure as folks know how to make it)? Security
>         vulnerabilities abound everywhere these days...
>        
>         Thanks.'
>         -marcus
>        
>         On Wed, Nov 8, 2017 at 5:43 PM, Derek Atkins <derek at ihtfp.com> wrote:
>        
>             Hi,
>             What specifically would such a code review be looking for?
>             GnuCash is a financial application. It specifically does not
>             provide security services like encryption, leaving that to
>             security specific applications (like True Crypt).  Passwords to
>             online banking are never stored. All other security is from
>             external providers.
>            
>             So what are you looking for?
>            
>             -derek
>             Sent using my mobile device. Please excuse any typos.
>
>             On November 8, 2017 8:36:31 PM Marcus Winston <
>             marcus at thechocolatehouse.net> wrote:
>
>                 I've searched the web and mailing list archives for this one,
>                 but didn't
>                 find it. I'm just curious if GnuCash has ever gone through a
>                 code review
>                 specifically for security? Perhaps something like what was
>                 done for
>                 TrueCrypt...?
>                 _______________________________________________
>                 gnucash-user mailing list
>                 gnucash-user at gnucash.org
>                 https://lists.gnucash.org/mailman/listinfo/gnucash-user
>                 -----
>                 Please remember to CC this list on all your replies.
>                 You can do this by using Reply-To-List or Reply-All.
>

-- 
       Derek Atkins                 617-623-3745
       derek at ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

More information about the gnucash-user mailing list