| |
| ▲ | tripplyons 4 days ago | parent | next [-] | | Anyone can upload an NPM package without much review. For Homebrew, you at least have to submit a pull request. | | |
| ▲ | n8m8 3 days ago | parent | next [-] | | https://docs.brew.sh/Acceptable-Casks#apps-that-bundle-malwa... > Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another. --- So there might be pull requests, but Brew's official stance is that they do not actively moderate casks for malware. I guess there's something built into the MacOS packaging step that help mitigate the risk, but I don't know much about it outside playing w/ app development in XCode. | |
| ▲ | what 3 days ago | parent | prev [-] | | Homebrew has been compromised before. To think it’s immune is a bit naive. | | |
| ▲ | n8m8 3 days ago | parent | next [-] | | Agreed that it's a bit funny given the context and no community-managed package manager should be 100% trusted. That said, I think rg is pretty well known to linux daily-drivers and they just wanted to share something quickly for powerusers who want to check their workspaces quickly. Probably better to just instruct n00bs to use grep than install a whole cli tool for searching Come to think of it, I wonder if a 2-phase attack could be planned by an attacker in the future: Inject malware into a package, flood guidance with instructions to install another popular tool that you also recently compromised... lol | |
| ▲ | tripplyons 3 days ago | parent | prev [-] | | I'm not saying its immune. I'm saying that NPM doesn't have as many protections, making NPM an easier target. |
|
| |
| ▲ | anthk 4 days ago | parent | prev | next [-] | | APT repos for Debian, Trisquel, Ubuntu... require far more checkings and bureaucracy. | | |
| ▲ | socalgal2 4 days ago | parent [-] | | I'll bet they don't. There's way to much churn for it all to be checked | | |
| ▲ | const_cast 4 days ago | parent | next [-] | | Churn? On Debian? It takes like 2 years to get up to date packages. This isn't NPM. | | |
| ▲ | SchemaLoad 3 days ago | parent [-] | | The xscreensaver dev managed to very easily slip a timebomb in to the debian repos. Wasn't obscured in any way, the repo maintainers just don't review the code. It would be physically impossible for them to review all the changes in all the programs. |
| |
| ▲ | justusthane 4 days ago | parent | prev [-] | | No, they are extremely well vetted. Have you ever heard of a supply chain attack involving Red Hat, Debian or Ubuntu repos? | | |
|
| |
| ▲ | dmitrygr 4 days ago | parent | prev [-] | | > don't we consider things like `brew` to be sufficiently low-risk, Like ... npm? | | |
| ▲ | fn-mote 4 days ago | parent | next [-] | | Nah… Everybody knows npm is a gaping security issue waiting to happen. Repeatedly. It’s convenient, so it’s popular. Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date. | | |
| ▲ | dabockster 4 days ago | parent | next [-] | | > Many people also don’t vendor their own dependencies, which would slow down the spread at the price of not being instantly up to date. npm sold it really hard that you could rely on them and not have to vendor dependencies yourself. If I suggested that a decade ago in Seattle, I would have gotten booed out of the room. | | |
| ▲ | marcus_holmes 3 days ago | parent [-] | | I have repeatedly been met with derision when pointing out what a gaping security nightmare the whole Open Source system is, especially npm and its ilk. Yet here we are. And this is going to get massively worse, not better. | | |
| ▲ | Intermernet 3 days ago | parent [-] | | Nothing specific to open source is to blame in this instance. The author got phished. Open source software often has better code vetting and verification than closed source software. npm, however, does not. |
|
| |
| ▲ | johnisgood 3 days ago | parent | prev | next [-] | | Convenient, as in the barrier to entry is way too low. I am pretty much against it. | |
| ▲ | albedoa 3 days ago | parent | prev [-] | | > Nah… I mean, I believe you, but the person you are replying to obviously believes that they are similar. Could you explain the significant differences? |
| |
| ▲ | hunter2_ 4 days ago | parent | prev [-] | | I thought getting code into brew is blocked by some vetting (potentially insufficient, which could be argued for all supply chains), whereas getting code into npm involves no vetting whatsoever. | | |
| ▲ | n8m8 3 days ago | parent [-] | | Went and found the link: https://docs.brew.sh/Acceptable-Casks#apps-that-bundle-malwa... > Unfortunately, in the world of software there are bad actors that bundle malware with their apps. Even so, Homebrew Cask has long decided it will not be an active gatekeeper (macOS already has one) and users are expected to know about the software they are installing. This means we will not always remove casks that link to these apps, in part because there is no clear line between useful app, potentially unwanted program, and the different shades of malware—what is useful to one user may be seen as malicious by another. |
|
|
|
