A potential danger to dub
Matt
vodkahaze at hotmail.com
Fri Sep 22 23:36:37 UTC 2017
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
> Let me preface this by saying I love package managers and think
> dub is one of the best things with dlang. However they can also
> sometimes be dangerous, as this PyPI incident[1] shows: several
> Python packages were uploaded that contained names similar to
> the standard library, and had an extra semi-malicious payload.
> They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with
> the things they download, but of course they don't. It's
> probably worth paying attention to what the PyPI devs do to
> help mitigate this, and perhaps repeat some of those things
> with dub.
>
> [1]
> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
The main vector of attack was slightly misnamed popular packages.
That can be solved by adding checksums and adding some sort of
"certified real repo" badge systems to the package manager.
More information about the Digitalmars-d
mailing list