dub bad, aur hack edition
Luna
luna at foxgirls.gay
Sun Jun 14 12:15:44 UTC 2026
On Sunday, 14 June 2026 at 12:11:26 UTC, Guillaume Piolat wrote:
> On Sunday, 14 June 2026 at 12:02:30 UTC, Luna wrote:
>>
>> That way the attack surface would be limited to just the
>> package management component instead of affecting the entire
>> system.
>
> Another countermeasure might be that "dub upgrade" never pulls
> packages that are less than 5 days old without an override
> switch.
Well, another thing is that the AUR incident was caused by the
fact that orphaned (unupdated) packages can be adopted by other
users without requiring human intervention. For dub this process
is manual and at least adds a layer of human review in the
process. Would limit this kind of attack a lot.
More information about the Digitalmars-d
mailing list