I hawe couple questions too. Do y hawe any time schedule fiat gateway, bch or some other gateway? I undrestand mobile wallet hawe some issues are they already fixed? And when we can wait it released? And must say this project starting to look better day by day. Keep up the good work!

blockaudit



Offline



Activity: 34

Merit: 2



Helping the blockchain world build secure++ stuff!







Jr. MemberActivity: 34Merit: 2Helping the blockchain world build secure++ stuff! Re: HEAT Discussion and Technical info April 04, 2018, 04:34:32 PM #722 Quote from: verymuchso on April 04, 2018, 11:42:22 AM Quote from: blockaudit on April 03, 2018, 11:33:54 PM



Are you all keeping up to date with the latest versions, especially when one needs to be running the latest versions to be safe from attacks mitigated by their security fixes?



NodeJS for example drops details on releases containing security updates here:



!topic/nodejs-sec/jGPlKJyLIxI



Quite a few bugs in there for March 2018.



And FFmpeg does similarly with this page:



https://www.ffmpeg.org/security.html



Where they list CVEs fixed in each release.

Question for the team regarding maintenance on the OSS dependencies shipping with Heat: ffmpeg, nodejs, etc.Are you all keeping up to date with the latest versions, especially when one needs to be running the latest versions to be safe from attacks mitigated by their security fixes?NodeJS for example drops details on releases containing security updates here: https://groups.google.com/forum/# !topic/nodejs-sec/jGPlKJyLIxIQuite a few bugs in there for March 2018.And FFmpeg does similarly with this page:Where they list CVEs fixed in each release.

Hi,



Thank you for your question.



We use Github's



Before we build the client we make sure to always update and upgrade to the latest electron pre-built packages available for the major version against which we have build our client.

We did the same for this latest build.



Normally security issues and updates are always backported to each still supported Electron version and these are made available as an update which we are alerted by simply running the electron builder script. For this build and for any past build that was the case as well.



Unfortunately I believe it's close to impossible to always update all software against any zero-day exploit the day, week or month it comes out.



That said, parts like the FFmpeg and the pdf viewer that come standard with Electron are however by the nature of our client never touched or invoked. What I mean is you cant remotely play any video or audio file or open a pdf doc in HEAT client.



Your question did make us look better into keeping build dependencies up to date and its something we will be looking into in order to harden this aspect even more. So thank you for that!



Hi,Thank you for your question.We use Github's https://github.com/electron as a run time engine to host our custom built web client as desktop apps on Windows, Linux and Macs.Before we build the client we make sure to always update and upgrade to the latest electron pre-built packages available for the major version against which we have build our client.We did the same for this latest build.Normally security issues and updates are always backported to each still supported Electron version and these are made available as an update which we are alerted by simply running the electron builder script. For this build and for any past build that was the case as well.Unfortunately I believe it's close to impossible to always update all software against any zero-day exploit the day, week or month it comes out.That said, parts like the FFmpeg and the pdf viewer that come standard with Electron are however by the nature of our client never touched or invoked. What I mean is you cant remotely play any video or audio file or open a pdf doc in HEAT client.Your question did make us look better into keeping build dependencies up to date and its something we will be looking into in order to harden this aspect even more. So thank you for that!

That's very good to know, thanks for the knowledgable response.



Sounds like you folks are ahead of the game in that way as many projects we come across either have no idea how up to date their dependencies are, let alone maintain a list of such dependencies to track and model their extended attack surface. That's very good to know, thanks for the knowledgable response.Sounds like you folks are ahead of the game in that way as many projects we come across either have no idea how up to date their dependencies are, let alone maintain a list of such dependencies to track and model their extended attack surface. https://www.blockaudit.org