7 comments

[ 2.5 ms ] story [ 23.5 ms ] thread
While this is a logistical problem and people generally don't check code in the dependency tree, I already fear the security mechanisms that might spawn from this.
Did you have anything specific in mind?
stdlib or die.

/me flashes obscure gang insignia

crev is an open-source framework trying to fix this, using a web-of-trust approach to reviews: https://github.com/crev-dev/

Currently only available for Cargo, Rust's package manager, but more integrative are being developed.

With the release of GitHub’s Copilot, I wonder how far we are from ML identification of malicious repositories.
Worthy startup idea!
Isn't this a halting problem sort of endeavor? Figuring out if any possible input to the library triggers a "bad" outcome?