Y
Hacker News
new
|
ask
|
show
|
jobs
by
ricardobeat
2902 days ago
Which package managers are properly made, and how are they more secure? As far as I'm aware npm's security model is shared with almost all of them.
2 comments
erik_seaberg
2902 days ago
RPM and .deb packages have GPG signatures and lists of trusted maintainers. NPM doesn't have that;
https://medium.com/redpoint/introducing-pkgsign-package-sign...
looks like a very early start on a big project that could fix this if it catches on.
link
eptcyka
2902 days ago
Cargo is far better in this regard, for one.
link
Arnavion
2902 days ago
Cargo packages can also execute arbitrary code at compile-time through build scripts, which run with full permissions of the original `cargo` command including filesystem and network access.
link