Hi David,
Are there other drop-in scanners planned in addition to hexora? The Readme says it scans upstream python, but what about the nodejs/npm files?
> […] If hexora looks at upstream python, is it worth doing something > similar for npm?The Hexora drop-in is currently all I have. The goal at the moment is to figure out whether the whole approach even works at all in practice.
The main reason why I specifically chose Python and not Node.js for my first drop-in is that Python packages exclusively use other system packages as dependencies, while Node.js packages download their dependencies from NPM at `prepare()` time instead. The srcaudit feature can currently handle `source` arrays but not `prepare()`. Using it as is for scanning Node.js packages poses the risk of instilling a false sense of security.
With that out of the way: srcaudit is designed to be pluggable, so anyone is free to integrate their own Node.js scanner as a srcaudit drop-in if they’re ok with the limitations.
> If the post-install modifications pull in poisoned npm files, could a > similar drop in there catch it?You’d need some other system outside of makepkg for that to work. There’s no way for srcaudit to catch bad install hooks because it must assume the PKGBUILD is benign. A bad PKGBUILD could simply declare:
options=('!srcaudit')
and knock its lights out. That’s why srcaudit focuses on upstream code,
and only works with PKGBUILDs that themselves have been vetted.
> Best of luck to you all. You are doing great! Thank you David, appreciate the kind words! Regards Claudia
OpenPGP_0xD11E9FC4F7C9DA3C.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
