-
Notifications
You must be signed in to change notification settings - Fork 404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate the security requirements of using caliper #1539
Comments
Some thoughts on this around npm dependencies
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Caliper is not just a tool that runs locally on a single machine making calls to blockchains. It can act as a server (using express) to interact with prometheus as well as interact with an mqtt broker to co-ordinate with remote workers and as such remote workers and the caliper manager will be performing bi-directional network communications with the broker.
Given the new world of regulation from both the EU and the US around opensource software for which the hyperledger foundation may place requirements on projects, we should consider the security requirements of caliper.
Some thoughts:
How much this actually has to be done for Caliper is unknown given it is not officially maintained by any software manufacturer (any software manufacturer taking caliper and incorporating it into a product will definitely have obligations to ensure it is secure but I am not aware of this actually being done) and it is not a graduated project. If it is still a concern and given the lack of any committed investment in caliper then maybe moving Caliper to hyperledger-labs is an option to remove the requirement. The final alternative would be to consider moving caliper to Dorment status followed by end of life and leave it as an As-is tool for use at your own risk.
The text was updated successfully, but these errors were encountered: