Hacker News new | ask | show | jobs
by raesene3 3738 days ago
Kind of amusing that this is considered to need a new vuln. report, I kind of assumed it was common knowledge.

Most of the programming language package repositories (e.g. npm, rubygems, PyPi, NuGet) have this kind of installation process and limited/no checks for malicious content.

Also as there's no consistent use of package signing by the developer (it's either unsupported or not very used) there is also a risk of the repository itself being compromised.

I did a talk last year for OWASP AppSecEU that covers this kind of thing. https://www.youtube.com/watch?v=Wn190b4EJWk
2 comments
semi-extrinsic 3738 days ago
A very insightful look at package signing, and why it wouldn't actually improve security for PyPI, by Python packaging guru Donald Stufft:

https://caremad.io/2013/07/packaging-signing-not-holy-grail/

link
jessaustin 3738 days ago
What a great link: topical and well-reasoned! The concluding sentence is interesting: "My biggest hope is that we’ll get a solution where the end user has the relationship with the source of trust and not the package author." If one runs one's own npm registry and audits everything that goes into it, one can have that already with npm.
link
semi-extrinsic 3737 days ago
Yes, that closing remark is very interesting. It would essentially be formalising what we somehow do manually/instinctively today: "Installing numpy/react/etc.? Yes, everyone I know trusts that, so I do too." "Installing random small non-popular package? I better have a bit of a look at the code first."
link
raesene3 3738 days ago
Indeed package signing is not the holy grail and won't solve all problems, but it is a part of a secure system.

For the problem this blog post talks about, I personally think that keybase is the right solution. You can tie a key to a github repository amongst others and then validate that the package you're installing came from the person who put the code on github in the first place...

link
nickpsecurity 3738 days ago
Here's the definitive work on the subject from the past:

http://www.dwheeler.com/essays/scm-security.html

He has lots of nice links, too. Hope you can factor some of it into your talks to get it to mainstream audience. I've saved the vid to check it out later. Will be interesting to see an experienced perspective with the modern tooling.

However, I admit I've always thought updating Shapiro's OpenCM or Aegis to distributed style with plugins for modern tooling gets us 90+% percent of the way. Without the problems of 90+% of build and package mgmt systems. ;)

link