A potential danger to dub

Randy Bonnette universalterr at gmail.com
Wed Oct 9 12:12:01 UTC 2019

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
> Let me preface this by saying I love package managers and think 
> dub is one of the best things with dlang. However they can also 
> sometimes be dangerous, as this PyPI incident[1] shows: several 
> Python packages were uploaded that contained names similar to 
> the standard library, and had an extra semi-malicious payload. 
> They are apparently now part of live software.
> You could of course expect developers to do due diligence with 
> the things they download, but of course they don't. It's 
> probably worth paying attention to what the PyPI devs do to 
> help mitigate this, and perhaps repeat some of those things 
> with dub.
> [1] 
> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository https://writemyessaytoday.net/

Hi David,

A signing system for the official packages would be just great. 
Though, will those help? Who knows, it's an open source community 
pitfall. Practically all of the packages on PyPi are maintained 
by 3rd party companies.

More information about the Digitalmars-d mailing list