• David Gileadi (12/12) Sep 16 2017 Let me preface this by saying I love package managers and think dub is
• solidstate1991 (8/21) Sep 19 2017 We have the strength of being a mostly unknown language, but it
• Szabo Bogdan (5/18) Sep 22 2017 maybe we should have an option to add a hash with the package
• Matt (5/18) Sep 22 2017 The main vector of attack was slightly misnamed popular packages.
• Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= (7/8) Oct 09 2019 Not sure why this old post reappears in the index, but please be
• Chris (3/11) Oct 09 2019 Thanks for the information.

David Gileadi <gileadisNOSPM gmail.com> writes:

Let me preface this by saying I love package managers and think dub is 
one of the best things with dlang. However they can also sometimes be 
dangerous, as this PyPI incident[1] shows: several Python packages were 
uploaded that contained names similar to the standard library, and had 
an extra semi-malicious payload. They are apparently now part of live 
software.

You could of course expect developers to do due diligence with the 
things they download, but of course they don't. It's probably worth 
paying attention to what the PyPI devs do to help mitigate this, and 
perhaps repeat some of those things with dub.

[1] 
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

solidstate1991 <laszloszeremi outlook.com> writes:

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

We have the strength of being a mostly unknown language, but it 
still sounds scary.

I usually download all the stuff, and only use dub to compile the 
libraries, then mostly rely on the IDE's build system, and wrote 
a PowerShell script to recompile the libraries I use in case if I 
update the compiler.

Szabo Bogdan <szabobogdan yahoo.com> writes:

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

maybe we should have an option to add a hash with the package 
version, to be able to check the integrity of the code that it's 
downloaded?

Matt <vodkahaze hotmail.com> writes:

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

The main vector of attack was slightly misnamed popular packages. 
That can be solved by adding checksums and adding some sort of 
"certified real repo" badge systems to the package manager.

Ola Fosheim =?UTF-8?B?R3LDuHN0YWQ=?= <ola.fosheim.grostad gmail.com> writes:

On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/


Not sure why this old post reappears in the index, but please be 
aware that the above article links to a site that sends you to 
random malicious websites.

It is from a link in the sentence «Results published here showed 
the packages were downloaded almost 7,000 over a two-day 
period.». So don't got there...

Chris <wendlec tcd.ie> writes:

On Wednesday, 9 October 2019 at 12:47:27 UTC, Ola Fosheim Grøstad 
wrote:
 On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/


 Not sure why this old post reappears in the index, but please 
 be aware that the above article links to a site that sends you 
 to random malicious websites.

 It is from a link in the sentence «Results published here 
 showed the packages were downloaded almost 7,000 over a two-day 
 period.». So don't got there...

Thanks for the information.