Software downloaded 30k times from PyPI ransacked developers’ machines (arstechnica.com) 19 points by Engineering-MD 4y ago ↗ HN
[–] raxxorrax 4y ago ↗ While this is a logistical problem and people generally don't check code in the dependency tree, I already fear the security mechanisms that might spawn from this. [–] Engineering-MD 4y ago ↗ Did you have anything specific in mind? [–] 0des 4y ago ↗ stdlib or die./me flashes obscure gang insignia
[–] Engineering-MD 4y ago ↗ Did you have anything specific in mind? [–] 0des 4y ago ↗ stdlib or die./me flashes obscure gang insignia
[–] remram 4y ago ↗ crev is an open-source framework trying to fix this, using a web-of-trust approach to reviews: https://github.com/crev-dev/Currently only available for Cargo, Rust's package manager, but more integrative are being developed.
[–] pfbtgom 4y ago ↗ With the release of GitHub’s Copilot, I wonder how far we are from ML identification of malicious repositories. [–] sjg007 4y ago ↗ Worthy startup idea! [–] remram 4y ago ↗ Isn't this a halting problem sort of endeavor? Figuring out if any possible input to the library triggers a "bad" outcome?
[–] remram 4y ago ↗ Isn't this a halting problem sort of endeavor? Figuring out if any possible input to the library triggers a "bad" outcome?
7 comments
[ 2.5 ms ] story [ 23.5 ms ] thread/me flashes obscure gang insignia
Currently only available for Cargo, Rust's package manager, but more integrative are being developed.