www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - dub bad, aur hack edition

reply monkyyy <crazymonkyyy gmail.com> writes:
https://github.com/lenucksi/aur-malware-check/blob/a03038980a2fd93b42a9630df44ce78533d938b4/package_list.txt#L298

https://lunduke.substack.com/p/rust-based-malware-hits-14-of-arch

so, fun fact, the npm clone did the npm things. If you used dub 
in the past few days maybe you should nuke your system.

If `dub-git 1.11.0.alpha.1.r11.2cbab87-1` is out of date, maybe 
it should just be deleted
Jun 13
next sibling parent reply Kapendev <alexandroskapretsos gmail.com> writes:
On Sunday, 14 June 2026 at 05:34:26 UTC, monkyyy wrote:

 https://github.com/lenucksi/aur-malware-check/blob/a03038980a2fd93b42a9630df44ce78533d938b4/package_list.txt#L298

 https://lunduke.substack.com/p/rust-based-malware-hits-14-of-arch

 so, fun fact, the npm clone did the npm things. If you used dub 
 in the past few days maybe you should nuke your system.

 If `dub-git 1.11.0.alpha.1.r11.2cbab87-1` is out of date, maybe 
 it should just be deleted


Um, actually, this is an AUR issue and not a DUB issue.
If you used Arch in the past few days maybe you should nuke your 
system.

But, but... I can see how this can be a problem for DUB too.
AUR and NPM are not special or anything.
Jun 13
parent reply Guillaume Piolat <first.name gmail.com> writes:
On Sunday, 14 June 2026 at 05:54:17 UTC, Kapendev wrote:

 But, but... I can see how this can be a problem for DUB too.
 AUR and NPM are not special or anything.


Before dub is hacked we should take a step towards signing 
packages somehow?
Jun 14
parent reply Luna <luna foxgirls.gay> writes:
On Sunday, 14 June 2026 at 11:36:38 UTC, Guillaume Piolat wrote:

 On Sunday, 14 June 2026 at 05:54:17 UTC, Kapendev wrote:

 But, but... I can see how this can be a problem for DUB too.
 AUR and NPM are not special or anything.


 Before dub is hacked we should take a step towards signing 
 packages somehow?


Overall the dub server infrastructure should probably get an 
overhaul, signing packages might be a good idea. Could be that 
the dub server generates a signing certificate that you then can 
use to sign git artifacts. But that would also add a bunch of 
friction to the package manager.

I think a main point that needs to be addressed is separating dub 
into 2 systems, one for package management, one for being a 
robust build system.

That way the attack surface would be limited to just the package 
management component instead of affecting the entire system.
Jun 14
next sibling parent reply Guillaume Piolat <first.name gmail.com> writes:
On Sunday, 14 June 2026 at 12:02:30 UTC, Luna wrote:

 That way the attack surface would be limited to just the 
 package management component instead of affecting the entire 
 system.


Another countermeasure might be that "dub upgrade" never pulls 
packages that are less than 5 days old without an override switch.
Jun 14
parent reply Luna <luna foxgirls.gay> writes:
On Sunday, 14 June 2026 at 12:11:26 UTC, Guillaume Piolat wrote:

 On Sunday, 14 June 2026 at 12:02:30 UTC, Luna wrote:

 That way the attack surface would be limited to just the 
 package management component instead of affecting the entire 
 system.


 Another countermeasure might be that "dub upgrade" never pulls 
 packages that are less than 5 days old without an override 
 switch.


Well, another thing is that the AUR incident was caused by the 
fact that orphaned (unupdated) packages can be adopted by other 
users without requiring human intervention. For dub this process 
is manual and at least adds a layer of human review in the 
process. Would limit this kind of attack a lot.
Jun 14
parent monkyyy <crazymonkyyy gmail.com> writes:
On Sunday, 14 June 2026 at 12:15:44 UTC, Luna wrote:

 
 Well, another thing is that the AUR incident was caused by the 
 fact that orphaned (unupdated) packages can be adopted by other 
 users without requiring human intervention.


maybe dont auto upgrade whole number versions, if I write `3.0.0` 
and leave it there for 5 years, its not "orphaned" its done

or maybe do it entirely on time, if a package goes untouched for 
3 months it gets a major version coloring even if it the sysvar 
disagrees

Post-ai I hope this update maxxing theory of software dies; it 
better for someone intelligent to spend a week on 100 lines of 
code 10 years ago then from some ai-addict shipping 1000000 lines 
every few hours, yet npm, git is built under the assumption that  
everything should be continuously updated and it even a problem 
to solve
Jun 14
prev sibling parent Indraj Gandham <newsgroups indraj.net> writes:
 I think a main point that needs to be addressed is separating dub into 2
systems, one for package management, one for being a robust build system.




If the goal is to have a robust and capable build system, several mature 
and language-agnostic tools already exist. The main reason for the 
widespread use of dub over these other systems is precisely because dub 
is also a package manager -- it makes it easier to manage lots of 
dependencies. It's a solution to a problem that shouldn't exist. This 
state of affairs has not gone unnoticed by regulators either (e.g. the 
supply chain due diligence provisions of the EU's CRA).
Jun 14
prev sibling parent user1234 <user1234 12.de> writes:
On Sunday, 14 June 2026 at 05:34:26 UTC, monkyyy wrote:

 https://github.com/lenucksi/aur-malware-check/blob/a03038980a2fd93b42a9630df44ce78533d938b4/package_list.txt#L298

 https://lunduke.substack.com/p/rust-based-malware-hits-14-of-arch

 so, fun fact, the npm clone did the npm things. If you used dub 
 in the past few days maybe you should nuke your system.

 If `dub-git 1.11.0.alpha.1.r11.2cbab87-1` is out of date, maybe 
 it should just be deleted


The real problem was that non-power users of arch linux could get 
powned. Like "I use Arch I'm the boss".. The effect of the 
exploit is rather limited I would say.
It's a bit funny that this affects the very niche D lang tho.
Jun 16