BB_C@programming.dev
on 02 Sep 2023 04:46
nextcollapse
Misuse/Overuse of the word “federated” is apparently all the rage in 2023.
Mubelotix@jlai.lu
on 02 Sep 2023 06:31
nextcollapse
This had to happen. Most build-scripts could run on wasm, and the others should have to be manually approved before being executed
onlinepersona@programming.dev
on 02 Sep 2023 15:31
collapse
This could be improved by follow what nix does: pull all dependencies first and then execute the build in a container or namespace without any access to the network.
technom@programming.dev
on 04 Sep 2023 03:32
collapse
That can be done. But how do you trust a software at runtime if it can’t be trusted at build time?
This is more of a supply chain issue. Users are likely to build only reputed crates. However, their dependencies may not be that reputed. For example, malicious actors may buy out a common and deeply buried dependency and use that to propagate malware (this regularly happens with browser extensions - even open source ones). How do we ensure that this doesn’t happen?
onlinepersona@programming.dev
on 04 Sep 2023 16:52
collapse
That’s a big question and would require more effort than the maintainers of crates.io could probably muster. Also, do you know anybody who has solved it in opensource? How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?
technom@programming.dev
on 05 Sep 2023 01:31
collapse
Also, do you know anybody who has solved it in opensource?
I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.
How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?
There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.
The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).
KillTheMule@programming.dev
on 05 Sep 2023 09:31
collapse
I’m sure everyone’s thought about it already but hasn’t done enough so far.
Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.
technom@programming.dev
on 07 Sep 2023 04:01
collapse
threaded - newest
Misuse/Overuse of the word “federated” is apparently all the rage in 2023.
This had to happen. Most build-scripts could run on wasm, and the others should have to be manually approved before being executed
This could be improved by follow what
nixdoes: pull all dependencies first and then execute the build in a container or namespace without any access to the network.That can be done. But how do you trust a software at runtime if it can’t be trusted at build time?
This is more of a supply chain issue. Users are likely to build only reputed crates. However, their dependencies may not be that reputed. For example, malicious actors may buy out a common and deeply buried dependency and use that to propagate malware (this regularly happens with browser extensions - even open source ones). How do we ensure that this doesn’t happen?
That’s a big question and would require more effort than the maintainers of crates.io could probably muster. Also, do you know anybody who has solved it in opensource? How would you enforce the solution on some dude writing code in his basement to “just make it work” on his 1 day off from an otherwise busy life?
I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.
There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It’s probably a good idea to invest in a paid team dedicated to security. I’m sure everyone’s thought about it already but hasn’t done enough so far.
The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it’s possible. It’s a good idea to fund them and increase their scope (hopefully, they won’t introduce any malware just to claim the prize).
Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.
Thanks! I missed that one. They are awesome!