| ▲ | amiga386 6 hours ago |
| "No Way To Prevent This" Says Only Package Manager Where This Regularly Happens |
|
| ▲ | thih9 6 hours ago | parent | next [-] |
| Parent comment is an indirect reference to US mass shootings:. > "'No Way to Prevent This,' Says Only Nation Where This Regularly Happens" is the recurring headline of articles published by the American news satire organization The Onion after mass shootings in the United States. Source: https://en.wikipedia.org/wiki/%27No_Way_to_Prevent_This,%27_... |
| |
|
| ▲ | creata 6 hours ago | parent | prev | next [-] |
| There's nothing technically different between NPM and, say, Cargo, here that would save Cargo, is there? |
| |
| ▲ | nagisa 5 hours ago | parent | next [-] | | I would say that npm likely has easier solutions here compared to Cargo. Well before the npm attacks were a thing, we within the Rust project, have discussed a lot of using wasm sandboxing for build-time code execution (and also precompiled wasm for procedural macros, but that's its own thing.) However the way build scripts are used in the Rust ecosystem makes it quite difficult enforce sandbox while also enabling packages to build foreign code (C, C++ invoke make, cmake, etc.) The sandbox could still expose methods to e.g. "run the C compiler" to the build scripts, but once that's done they have an arbitrary access to a very non-trivial piece of code running in a privileged environment. Whereas for Javascript rarely does a package invoke anything but other javascript code during the build time. Introduce a stringent sandbox for that code (kinda deno style perhaps?) and a large majority of the packages are suddenly safe by default. | |
| ▲ | tjpnz 6 hours ago | parent | prev [-] | | This is a cultural problem created through a fundamental misunderstanding (and mis-application) of Unix philosophy. As far as I'm aware the Rust ecosystem doesn't have a problem appropriately sizing packages which in turn reduces the overall attack surface of dependencies. | | |
| ▲ | creata 5 hours ago | parent | next [-] | | I agree, but imo the Rust ecosystem has the same problem. Not to the extent of NPM, but worse than C/C++. | |
| ▲ | junon 5 hours ago | parent | prev [-] | | This has nothing to do with package sizes. Cargo was just hit with a phishing campaign not too long ago, and does still use tokens for auth. NPM just has a wider surface area. |
|
|
|
| ▲ | globalise83 6 hours ago | parent | prev | next [-] |
| No Preventative Measures (NPM) |
| |
| ▲ | zenmac 6 hours ago | parent [-] | | You can host your own NPM reg, and examine every package, but your manager probably is NOT going to go for that. | | |
| ▲ | venturecruelty 16 minutes ago | parent [-] | | Sounds like something a union should enforce as part of a drive to protect programmer professionalism. |
|
|
|
| ▲ | SkyPuncher 2 hours ago | parent | prev | next [-] |
| The circumstances for this are not unique to NPM. The popularity is what makes it so susceptible to these attacks. |
| |
| ▲ | btbuildem an hour ago | parent [-] | | It's not just the popularity, it's partly the update mechanism and partly the culture. In what sane world would you always pull in all the newest things, regardless or whether you need them or not? This is a default at build time for so many setups. If you absolutely must use that package manager, at least lock down your versions, and update selectively. I don't even know if that's possible to do with the dependencies' dependencies (and so on), or are people forced to just pull in whatever, every time. |
|
|
| ▲ | 5 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | AndroTux 6 hours ago | parent | prev [-] |
| Okay then, tell me a way to prevent this. |
| |
| ▲ | amiga386 5 hours ago | parent | next [-] | | An example: Java Maven artifacts typically name the exact version of their dependencies. They rarely write "1.2.3 or any newer version in the 1.2.x series", as is the de-facto standard in NPM dependencies. Therefore, it's up to each dependency-user to validate newer versions of dependencies before publishing a new version of their own package. Lots of manual attention needed, so a slower pace of releases. This is a good thing! Another example: all Debian packages are published to unstable, but cannot enter testing for at least 2-10 days, and also have to meet a slew of conditions, including that they can be and are built for all supported architectures, and that they don't cause themselves or anything else to become uninstallable. This allows for the most egregious bugs to be spotted before anyone not directly developing Debian starts using it. | | |
| ▲ | jml78 4 hours ago | parent [-] | | You forgot to mention it is also tied to provable namespaces. People keep saying that NPM is just the biggest target... Hate to break it to you but from targeting enterprises, java maven artifacts would be a MASSIVE target. It is just harder to compromise because NPM is such shit. | | |
| ▲ | redwall_hp an hour ago | parent [-] | | Maven Central verifies the domain used for the package namespace, too. You need to create a DNS TXT entry with a key. This adds a bit more overhead to typo squatting, and a paper trail, since a domain registrar can have identity/billing information subpoenaed. Versus changing a config file and running a publish command... |
|
| |
| ▲ | venturecruelty 14 minutes ago | parent | prev | next [-] | | You have separate people called "maintainers", and they're the ones who build and upload packages to the repository. Crucially, they're not the people who write the software. You know, like Linux has been doing since forever. https://wiki.debian.org/DebianMaintainer Instead of treating your package repository like a trash can at a music festival, you can treat it more like a museum, curated by experts. Unfortunately, this isn't quite the devil-may-care attitude the Node ecosystem is so accustomed to, and will be met with a lot of whining, so it never happens. See y'all in two weeks when this happens again. | |
| ▲ | pabs3 5 hours ago | parent | prev | next [-] | | Build packages from source without any binaries (all the way down) and socially audit the source before building. https://bootstrappable.org/
https://reproducible-builds.org/
https://github.com/crev-dev | |
| ▲ | Balinares 5 hours ago | parent | prev | next [-] | | Other languages seem to publish dependencies as self-contained packages whose installation does not require running arbitrary shell scripts. This does not prevent said package from shipping with malware built in, but it does prevent arbitrary shell execution on install and therefore automated worm-like propagation. | |
| ▲ | seethishat 4 hours ago | parent | prev | next [-] | | I think some system would need to dynamically analyze the code (as it runs) and record what it does. Even then, that may not catch all malicious activity. It's sort of hard to define what malicious activity is. Any file read or network conn could, in theory, be malicious. As a SW developer, you may be able to limit the damage from these attacks by using a MAC (like SELinux or Tomoyo) to ensure that your node app cannot read secrets that it is not intended to read, conns that it should not make, etc. and log attempts to do those things. You could also reduce your use of external packages. Until slowly, over time you have very little external dependencies. | |
| ▲ | blueflow 6 hours ago | parent | prev | next [-] | | The same way it always has been done - vendor your deps. | | |
| ▲ | joshstrange 6 hours ago | parent | next [-] | | That literally makes no difference at all. You’ll just vendor the malicious versions. No, a lock file with only exact versions is the safe path here. We haven’t seen a compromise to existing versions that I know of, only patch/minor updates with new malicious code. I maintain that the flexibility in npm package versions is the main issue here. | | |
| ▲ | blueflow 5 hours ago | parent [-] | | You are using the word "vendoring" differently than i do, i mean some kind of private fork of the repository. | | |
| ▲ | joshstrange 5 hours ago | parent [-] | | You are using the word differently than everyone else I think. I’ve never heard someone using that word to mean maintain private forks. Then again, even private forks don’t protect you much more than package lock files and they are way more overhead IMHO. You still need some out-of-band process to pull upstream updates and aside from a built-in “cool down” (until you merge changes) I see that method as having a huge amount of downside. Yes, you sidestep malicious versions pushed to npm but now you own the build process for all your dependencies and you have to find time to update (and fix builds if they break) all your dependencies. Locking to a specific version and waiting some period of time (cool down) before updating is way easier and jus as safe IMHO. | | |
| ▲ | Yokohiii 3 hours ago | parent [-] | | Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review.
The expectation that every repo has important regular updates for you is pure FOMO. And if I don't do random updates for fun, nothing will every break. [redacted bullshit!] | | |
| ▲ | joshstrange 2 hours ago | parent [-] | | > Version locking wont help you all the time, i.e. if you build fresh envs from scratch. I'm confused on this. I would imagine it would protect/help you as long as releases are immutable which they are for most package managers (like npm). > Vendoring literally just means grabbing the source code from origin and commit it to your repo after a review. Hmm, I don't think it always necessarily means grabbing the source, it can also mean grabbing the built artifacts in my experience. My biggest issue with vendoring dependencies is it allows for editing of said dependencies. Almost everywhere I've worked that vendored dependencies (copied source or built versions in and committed them) felt the siren song of modifying said dependencies which is hell to deal with later. | | |
| ▲ | Yokohiii 2 hours ago | parent [-] | | You are right about version locking, bullshit on my side, not sure what I was thinking. I personally don't have a problem with the general ability to change vendor code. The question is whether you want it in an specific case or not. If you update frequently then certainly not. But that decision should be deliberate team policy. | | |
| ▲ | joshstrange 2 hours ago | parent [-] | | > I personally don't have a problem with the general ability to change vendor code. The question is whether you want it in an specific case or not. If you update frequently then certainly not. But that decision should be deliberate team policy. Fair, in the instances I ran into it was code that was downloaded and unzipped into a "js-library-name" folder but then the code was edited, even worse, the `.min.js` version wasn't touched, just the original one which led to some fun when someone "helpfully" switched to the min versions that didn't have the edit. IMHO, if you want to edit a library then you should be forking and/or making it super obvious that this is not "stock" library X. We also ran into issues with "just updated library Y" and only later realizing someone had modified the older version. But yes, if it's deliberate and obvious then I don't have an issue modifying, just as long as the team understands it's "their" code now and there is no clean upgrade path in the future. | | |
| ▲ | Yokohiii 37 minutes ago | parent [-] | | I'd require vendor code being committed to git and integrated into the CI/CD pipeline. It should be treated as if you own it, just with a policy whether you want to change it or not. The difficulty to make changes obvious is same for forks and vendored commits, imho. You can write big warnings in commit messages, that's it I guess. Which kind of boils down to deliberate team policy again. But I generally prefer monorepos for various reasons. |
|
|
|
|
|
|
| |
| ▲ | sph 6 hours ago | parent | prev | next [-] | | To be fair this does only work in ecosystems where libraries are stable and don't break every 3 months as it often happens on the JS world. You can vendor your left-pad, but good luck doing that with a third-party SDK. | | |
| ▲ | CGamesPlay 6 hours ago | parent [-] | | ... you vendor the third-party SDK? Nobody worth working with is breaking their SaaS APIs with that cadence. |
| |
| ▲ | hu3 6 hours ago | parent | prev [-] | | that's what I do whenever feasible. Which is often |
| |
| ▲ | tmvnty 5 hours ago | parent | prev | next [-] | | Other than general security practices, here are few NPM ecosystem specific ones: https://github.com/bodadotsh/npm-security-best-practices | |
| ▲ | codedokode 5 hours ago | parent | prev [-] | | Hire an antivirus company to provide a safe and verified feed of packages. Use ML and automatic scanners to send packages to manual review. While Halting problem prevents us from 100% reliably detecting malware, at least we can block everything suspicious. |
|
