Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>How does everyone taking the piss intend to protect themselves from this in their OS package manager, or PPM or composer or pip?

By signing packages and not allowing literally anybody to re-upload a brand new package that does something completely different under the name of an existing, widely-used package. There's not much excuse for that in any respectable package manager.



Okay so have you checked all of the apt repos you've added to sources over the years or has one of the ppa's changed to something malicious?


I've added exactly 0 apt sources, precisely because relying on ppas and the like is terribly, terribly insecure. Allow some random person to run code on my machine as root — that's insane.


I use Arch and only official sources, that are checked over and signed by a small well-trusted team[1]. Nothing like npm's model.

[1]: https://www.archlinux.org/master-keys/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: