On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
Let me preface this by saying I love package managers and think
dub is one of the best things with dlang. However they can also
sometimes be dangerous, as this PyPI incident[1] shows: several
Python packages were uploaded that contained names similar to
the standard library, and had an extra semi-malicious payload.
They are apparently now part of live software.
You could of course expect developers to do due diligence with
the things they download, but of course they don't. It's
probably worth paying attention to what the PyPI devs do to
help mitigate this, and perhaps repeat some of those things
with dub.
[1]
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
The main vector of attack was slightly misnamed popular packages.
That can be solved by adding checksums and adding some sort of
"certified real repo" badge systems to the package manager.
