Dependency Confusion Attack - Dub affected?
Andre Pany
andre at s-e-a-p.de
Thu Feb 11 14:01:38 UTC 2021
On Thursday, 11 February 2021 at 13:05:33 UTC, Jacob Carlborg
wrote:
> I recently read this [1] interesting article. Would Dub
> affected by this? Based on what I could find in the Dub
> documentation, it looks like Dub would **not** be affected.
> According to the documentation Dub will try custom registers
> first, is that correct?
>
> [1]
> https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
>
> --
> /Jacob Carlborg
It is a good practice for companies to have all dub packages
mirrored to an internal dub registry / maven repository and let
the dub clients only connect to this internal registry.
In addition to security aspects, you can build your software even
without an internet connection.
Kind regards
Andre
More information about the Digitalmars-d
mailing list