www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - A potential danger to dub

reply David Gileadi <gileadisNOSPM gmail.com> writes:
Let me preface this by saying I love package managers and think dub is 
one of the best things with dlang. However they can also sometimes be 
dangerous, as this PyPI incident[1] shows: several Python packages were 
uploaded that contained names similar to the standard library, and had 
an extra semi-malicious payload. They are apparently now part of live 
software.

You could of course expect developers to do due diligence with the 
things they download, but of course they don't. It's probably worth 
paying attention to what the PyPI devs do to help mitigate this, and 
perhaps repeat some of those things with dub.

[1] 
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
Sep 16 2017
next sibling parent solidstate1991 <laszloszeremi outlook.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
We have the strength of being a mostly unknown language, but it still sounds scary. I usually download all the stuff, and only use dub to compile the libraries, then mostly rely on the IDE's build system, and wrote a PowerShell script to recompile the libraries I use in case if I update the compiler.
Sep 19 2017
prev sibling next sibling parent Szabo Bogdan <szabobogdan yahoo.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
maybe we should have an option to add a hash with the package version, to be able to check the integrity of the code that it's downloaded?
Sep 22 2017
prev sibling parent reply Matt <vodkahaze hotmail.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
The main vector of attack was slightly misnamed popular packages. That can be solved by adding checksums and adding some sort of "certified real repo" badge systems to the package manager.
Sep 22 2017
parent reply Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:
On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
Not sure why this old post reappears in the index, but please be aware that the above article links to a site that sends you to random malicious websites. It is from a link in the sentence «Results published here showed the packages were downloaded almost 7,000 over a two-day period.». So don't got there...
Oct 09
parent Chris <wendlec tcd.ie> writes:
On Wednesday, 9 October 2019 at 12:47:27 UTC, Ola Fosheim Grøstad 
wrote:
 On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
Not sure why this old post reappears in the index, but please be aware that the above article links to a site that sends you to random malicious websites. It is from a link in the sentence «Results published here showed the packages were downloaded almost 7,000 over a two-day period.». So don't got there...
Thanks for the information.
Oct 09