Security risks? Supply chain attacks?

In view of the progressing amount of supply chain attacks (and other attacks...), I would like to know your risk assessments and protection measures.

HeidiSQL has an auto updater, which prompts the user when an update is available. Such an updater was recently attacked for Notepad++, see their website: notepad-plus-plus.org, path /news/hijacked-incident-info-update/ (I'm not allowed to post links apparently.)

What's the status for HeidiSQL updater?

What about web site, download links and download assets protection?

What about risks of hacked dependencies getting included in the builds?

Any other risks worth considering?

Yes that attack on Notepad++ is very sad, and I have a certain fear that happens with the nightly build updater as well. What I can say is that SSL certificates are being checked by the updater, like a normal webbrowser would do. More exactly spoken the download happens through InternetOpenUrl in apphelpers. I think the updater in Notepad++ works differently, you cannot directly compare them.

However, for the upcoming v13 of HeidiSQL built with Lazarus and FreePascal, I do not plan to include such a build updater again. That would introduce even more effort due to 3 different operating systems to support.

The downloads here on the page moved from internal links to the Github release assets.

Fair enough, and thanks for the feedback.

Protection of build pipeline/actions etc.?

Any thought re. dependencies? There have been several attacks in that area. How to ensure that hacked dependencies don't get included in builds?

There are zero dependencies of Pascal code within the actions pipeline. There was one for a few days, for the inclusion of a package named MetaDarkStyle, but resolving it through the setup-lazarus action had issues, so I replaced that with a manually added folder with the relevant code, which I will have to update manually of course.

Though the pipeline uses Gustavo's setup-lazarus action, which probably has outside dependencies. Not sure about that. I've not dived too deep into that area.

Protection of build pipeline/actions etc.?

I honestly had no clue whether actions need some kind of protection. It's probably the fact that it is running on Github, for which I still have some trust, although it belongs to Microsoft. However, if you have some time for checking the workflow file for the Lazarus release, feel free to comment. Note that the current v12 Windows releases are built on a private system, not through that pipeline.

I'm kind-of at the edge of my knowledge here, so I'm afraid I cannot be of much help when it comes to analysis and fixes. Sorry. I'm just trying to assess the situation for some tools that we use in our daily work.

If it's of any significance, maybe take a look at the roadmap that my question prompted the FlameRobin to put into place. It seems to mentions some aspects of securing GitHub actions. It's on github, with URL path mariuz/flamerobin/discussions/591 (apparently I'm not allowed to post links)

Specifically: this section:

• Harden GitHub Actions
  • Pin third-party actions to full commit SHAs
  • Review token/permission scopes
  • Protect release workflows and tags

I suspect that the FlameRobin author is using AI to do a lot of work, including construction of this roadmap. Maybe you could also give that a try? I have so far found Claude very helpful in pinpointing security issues in our own code, and also suggest fixes.

Best of luck and thanks for taking this seriously.