www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - A potential danger to dub

reply David Gileadi <gileadisNOSPM gmail.com> writes:
Let me preface this by saying I love package managers and think dub is 
one of the best things with dlang. However they can also sometimes be 
dangerous, as this PyPI incident[1] shows: several Python packages were 
uploaded that contained names similar to the standard library, and had 
an extra semi-malicious payload. They are apparently now part of live 
software.

You could of course expect developers to do due diligence with the 
things they download, but of course they don't. It's probably worth 
paying attention to what the PyPI devs do to help mitigate this, and 
perhaps repeat some of those things with dub.

[1] 
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
Sep 16
next sibling parent solidstate1991 <laszloszeremi outlook.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
We have the strength of being a mostly unknown language, but it still sounds scary. I usually download all the stuff, and only use dub to compile the libraries, then mostly rely on the IDE's build system, and wrote a PowerShell script to recompile the libraries I use in case if I update the compiler.
Sep 19
prev sibling next sibling parent Szabo Bogdan <szabobogdan yahoo.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
maybe we should have an option to add a hash with the package version, to be able to check the integrity of the code that it's downloaded?
Sep 22
prev sibling parent Matt <vodkahaze hotmail.com> writes:
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi 
wrote:
 Let me preface this by saying I love package managers and think 
 dub is one of the best things with dlang. However they can also 
 sometimes be dangerous, as this PyPI incident[1] shows: several 
 Python packages were uploaded that contained names similar to 
 the standard library, and had an extra semi-malicious payload. 
 They are apparently now part of live software.

 You could of course expect developers to do due diligence with 
 the things they download, but of course they don't. It's 
 probably worth paying attention to what the PyPI devs do to 
 help mitigate this, and perhaps repeat some of those things 
 with dub.

 [1] 
 https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
The main vector of attack was slightly misnamed popular packages. That can be solved by adding checksums and adding some sort of "certified real repo" badge systems to the package manager.
Sep 22