A potential danger to dub

Szabo Bogdan szabobogdan at yahoo.com
Fri Sep 22 08:25:57 UTC 2017


On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
> Let me preface this by saying I love package managers and think 
> dub is one of the best things with dlang. However they can also 
> sometimes be dangerous, as this PyPI incident[1] shows: several 
> Python packages were uploaded that contained names similar to 
> the standard library, and had an extra semi-malicious payload. 
> They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with 
> the things they download, but of course they don't. It's 
> probably worth paying attention to what the PyPI devs do to 
> help mitigate this, and perhaps repeat some of those things 
> with dub.
>
> [1] 
> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

maybe we should have an option to add a hash with the package 
version, to be able to check the integrity of the code that it's 
downloaded?


More information about the Digitalmars-d mailing list