Y
Hacker News
new
|
ask
|
show
|
jobs
by
halflife
290 days ago
This sucks for libraries that download native binaries in their install script. There are quite a few.
2 comments
lrvick
290 days ago
Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.
Everything must be provided as source code and any compilation must happen locally.
link
oulipo2
290 days ago
Sure, but then you need to have a way to whitelist
link
lrvick
290 days ago
The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.
link
junon
290 days ago
You can still whitelist them, though, and reinstall them.
link
Everything must be provided as source code and any compilation must happen locally.