On Mon, Sep 18, 2017 at 12:38 PM Nils Bruin <nbr...@sfu.ca> wrote: > On Friday, September 15, 2017 at 8:22:09 AM UTC-7, William wrote: > >> >> On Fri, Sep 15, 2017 at 8:00 AM Maarten Derickx <m.derick...@gmail.com> >> wrote: >> >>> Hi Everybody who wants to discuss security in sage: >>> >>> Please do so in this thread and not in "How much do we support optional >>> packages". So that these two discussions can both be held and without >>> cluttering each other. >>> >> >> Good idea. And if anybody does write in here, please precisely define >> your security/threat model before writing anything else... since otherwise >> the discussion is worthless. >> > > I think a real concern with software distributions with non-centralized > repository maintenance is the mismatch between the curation expected by the > user and the curation of code that actually happens by the project. > > Users may expect that if they download software from sagemath.org, then > they are getting files that are from there, and are checked by the people > there: the user will decide to trust those people and assume that if a > breach happens there, he/she will be notified then he/she can decide to > stop trusting that source. > > In reality this is increasingly not the case anymore: sage pulls in > packages from "Pypi" when installing. Contrary to sagemath.org, there is > not a well-defined group of people deciding whether to accept/reject code > changes to Pypi projects. >
>From 3 days ago: Ten Malicious Libraries Found on PyPI - Python Package Index https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-found-on-pypi-python-package-index/ > sagemath isn't just pulling everything from Pypi, so we're perhaps not > exposed to arbitrary code uploaded to Pypi (see, e.g. > http://incolumitas.com/2016/06/08/typosquatting-package-managers/), but > to what extent we are subject to the whims of other project maintainers > isn't clear to me. > > In short: I think the main concern isn't "security" in the sense of > privilege escalation, but "malware prevention" -- what measures are being > taken to ensure that sagemath isn't a vector for code that is maliciously > doing something else than what it is advertising. > If the answer is "absolutely nothing" it may be hard to convince sysadmins > to install it, and would mean that personal users should also run it in > well-contained jail, with strict limits on the resources it has access to > (i.e., everybody should run the VMs that were previously necessary on > Windows!). This kind of thing needs a balance between paranoia and > carelessness. > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
