A potential danger to dub
David Gileadi via Digitalmars-d
digitalmars-d at puremagic.com
Sat Sep 16 17:09:34 UTC 2017
Let me preface this by saying I love package managers and think dub is
one of the best things with dlang. However they can also sometimes be
dangerous, as this PyPI incident[1] shows: several Python packages were
uploaded that contained names similar to the standard library, and had
an extra semi-malicious payload. They are apparently now part of live
software.
You could of course expect developers to do due diligence with the
things they download, but of course they don't. It's probably worth
paying attention to what the PyPI devs do to help mitigate this, and
perhaps repeat some of those things with dub.
[1]
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
More information about the Digitalmars-d
mailing list