A potential danger to dub
Szabo Bogdan
szabobogdan at yahoo.com
Fri Sep 22 08:25:57 UTC 2017
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
> Let me preface this by saying I love package managers and think
> dub is one of the best things with dlang. However they can also
> sometimes be dangerous, as this PyPI incident[1] shows: several
> Python packages were uploaded that contained names similar to
> the standard library, and had an extra semi-malicious payload.
> They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with
> the things they download, but of course they don't. It's
> probably worth paying attention to what the PyPI devs do to
> help mitigate this, and perhaps repeat some of those things
> with dub.
>
> [1]
> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
maybe we should have an option to add a hash with the package
version, to be able to check the integrity of the code that it's
downloaded?
More information about the Digitalmars-d
mailing list