Hacker News new | ask | show | jobs
by mixedbit 134 days ago
An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.
2 comments
jakub_g 134 days ago
Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified.

https://docs.npmjs.com/trusted-publishers#automatic-provenan...

link
elashri 134 days ago
pypi also added this last year [1] and encouraging people to use trusted publishing as well.

[1] https://docs.pypi.org/trusted-publishers/

link
LtWorf 133 days ago
If the build doesn't happen without network access, it doesn't really work.
link
btown 134 days ago
Unless the Chrome web store integrates with this, it puts the onus on users to continuously scan extension updates for hash mismatches with the public extension builds, which isn’t standardized. And even then this would be after an update is unpacked, which may not run in time to prevent initial execution. Nor does it prevent a supply chain attack on the code running in the GitHub Action for the build, especially if dependencies aren’t pinned. There’s no free lunch here.
link
smithza 134 days ago
key word "encourages"

when someone uses `npm install/add/whatever-verb` does it default to only using trusted publishing sources? and the dependency graph?

either 100% enforcement or it won't stick and these attack vulnerabilities are still there.

link
m4rtink 134 days ago
If the RPM/deb comes from a Linux distribution then there is a good chance there is a separate maintainer and the binary package is always built from the source code by the distro.

Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.

link
pocksuppet 134 days ago
Browser extensions come from the Chrome/Firefox addon store, though and not through distros.
link
m4rtink 133 days ago
And maybe that's why we have the problem that is being discussed ? No third party that would audit and build extensions from source.
link
LtWorf 133 days ago
Everybody seems to hate distributions though.
link