| ▲ | agentifysh 5 hours ago |
| yeah i mean this is a tough problem. unless you work for a government contractor where they have strict security policies, most devs are just going to run npm install without a second thought as there are a lot of packages. i dont know what the solution here is other than stop using npm |
|
| ▲ | josephg 4 hours ago | parent | next [-] |
| > i dont know what the solution here is other than stop using npm Personally I think we need to start adding capability based systems into our programming languages. Random code shouldn't have "ambient authority" to just do anything on my computer with the same privileges as me. Like, if a function has this signature: function add(a: int, b: int) -> int
Then it should only be able to read its input, and return any integer it wants. But it shouldn't get ambient authority to access anything else on my computer. No network access. No filesystem. Nothing.Philosophically, I kind of think of it like function arguments and globals. If I call a function foo(someobj), then function foo is explicitly given access to someobj. And it also has access to any globals in my program. But we generally consider globals to be smelly. Passing data explicitly is better. But the whole filesystem is essentially available as a global that any function, anywhere, can access. With full user permissions. I say no. I want languages where the filesystem itself (or a subset of it) can be passed as an argument. And if a function doesn't get passed a filesystem, it can't access a filesystem. If a function isn't passed a network socket, it can't just create one out of nothing. I don't think it would be that onerous. The main function would get passed "the whole operating system" in a sense - like the filesystem and so on. And then it can pass files and sockets and whatnot to functions that need access to that stuff. If we build something like that, we should be able to build something like npm but where you don't need to trust the developers of 3rd party software so much. The current system of trusting everyone with everything is insane. |
| |
| ▲ | ratmice 3 hours ago | parent | next [-] | | I couldn't agree with you more, the thing is our underlying security models are
protecting systems from their users, but do nothing for protecting user data from the programs they run. Capability based security model will fix that. | | |
| ▲ | Gigachad 3 hours ago | parent [-] | | Only on desktop. Mobile has this sorted. Programs have access to their own files unrestricted, and then can access the shared file space only through the users specifically selecting them. | | |
| ▲ | josephg 2 hours ago | parent [-] | | I think there's 2 kinds of systems we're talking about here: 1. Capabilities given to a program by the user. Eg, "This program wants to access your contacts. Allow / deny". But everything within a program might still have undifferentiated access. This requires support from the operating system to restrict what a program can do. This exists today in iOS and Android. 2. Capabilities within a program. So, if I call a function in a 3rd party library with the signature add(int, int), it can't access the filesystem or open network connections or access any data thats not in its argument list. Enforcing this would require support from the programming language, not the operating system. I don't know of any programming languages today which do this. C and Rust both fail here, as any function in the program can access the memory space of the entire program and make arbitrary syscalls. Application level permissions are a good start. But we need the second kind of fine-grained capabilities to protect us from malicious packages in npm, pip and cargo. | | |
| ▲ | ratmice 36 minutes ago | parent [-] | | I would also say there is a 3rd class, which are distributed capabilities. When you look at a mobile program such as the GadgetBridge which is synchronizing data between a mobile device and a watch, and number of permissions it requires
like contacts, bluetooth pairing, notifications, yadda yadda the list goes on. Systems like E-Lang wouldn't bundle all these up into a single application. Your watch would have some capabilities, and those would interact directly with capabilities on the phone. I feel like if you want to look at our current popular mobile OS's as capability systems the capabilities are pretty coarse grained. One thing I would add about compilers, npm, pip, cargo. Is that compilers are transformational programs, they really only need read and write access to a finite set of input, and output. In that sense, even capabilities are overkill because honestly they only need the bare minimum of IO, a batch processing system could do better than our mainstream OS security model. |
|
|
| |
| ▲ | irishcoffee 4 hours ago | parent | prev [-] | | > No network access. No filesystem. Nothing. Ironically, any c++ app I've written on windows does exactly this. "Are you sure you want to allow this program to access networking?" At least the first time I run it. I also rarely write/run code for windows. | | |
| ▲ | christophilus 2 hours ago | parent [-] | | Yeah, but if that app was built using a malicious dependency that only relied on the same permissions the app already uses, you’d just click “Yes” and move on and be pwned. | | |
| ▲ | irishcoffee an hour ago | parent [-] | | Oh, I don't npm. If I can't yum (et.al.) install it I absolutely review the past major point releases for an hour and do my research on the library. |
|
|
|
|
| ▲ | miroljub 4 hours ago | parent | prev | next [-] |
| The issue with npm is JS doesn't have a stdlib, so developers need to rely on npm and third party libs even for things stdlib provide in languages like Java, Python, Go, ... |
| |
| ▲ | josephg 4 hours ago | parent | next [-] | | Sure it does. The JS standard library these days is huge. Its way bigger than C, Zig and Rust. It includes: - Random numbers - Timezones, date formatting - JSON parsing & serialization - Functional programming tools (map, filter, reduce, Object.fromEntries, etc) - TypedArrays And if you use bun or nodejs, you also have out of the box access to an HTTP server, filesystem APIs, gzip, TLS and more. And if you're working in a browser, almost everything in jquery has since been pulled into the browser too. Eg, document.querySelector. Of course, web frameworks like react aren't part of the standard library in JS. Nor should they be. What more do you want JS to include by default? What do java, python and go have in their standard libraries that JS is missing? | | |
| ▲ | krapp 4 hours ago | parent [-] | | When people say "js doesn't have a stdlib" they mean "js doesn't have a robust general purpose stdlib like C++ or ${LANGUAGE_ID_RATHER_BE_USING}." But of course it fucking doesn't because it's a scripting language for the web. It has what it needs, and to do that it doesn't need much. | | |
| ▲ | josephg 4 hours ago | parent [-] | | > When people say "js doesn't have a stdlib" they mean "js doesn't have a robust general purpose stdlib like C++ ... It does though! The JS stdlib even includes an entire wasm runtime. Its huge! Seriously. I can barely think of any features in the C++ stdlib that are missing from JS. There's a couple - like JS is missing std::priority_queue. But JS has soooo much stuff that C++ is missing. Its insane. |
|
| |
| ▲ | Eduard 4 hours ago | parent | prev | next [-] | | JS has a stdlib, so to say. See nodejs, and Web standard. And no programming language's stdlib includes e. g. WhatsApp API libraries | |
| ▲ | 4 hours ago | parent | prev [-] | | [deleted] |
|
|
| ▲ | irishcoffee 4 hours ago | parent | prev [-] |
| > unless you work for a government contractor where they have strict security policies ... So you're saying there is a blueprint for mitigating this already, and it just isn't followed? |
| |
| ▲ | kankerlijer 4 hours ago | parent | next [-] | | It's more work and more restrictive I suppose. Any business is free to set up jfrog Artifactory and only allow the installation of approved dependencies. And anyone can pull Ironbank images I believe. | |
| ▲ | parliament32 4 hours ago | parent | prev [-] | | Yes, but it requires people. Typically, you identify a package you want (or a new version of a package you want) and you send off a request to a separate security team. They analyze and approve, and the package becomes available in your internal package manager. But this means 1) you need that team of people to do that work, and 2) there's a lot of hurry-up-and-wait involved. | | |
| ▲ | irishcoffee 4 hours ago | parent [-] | | > Yes, but it requires people. I've heard rumor of a few 100k people laid off in tech over the past few years that might be interested. | | |
| ▲ | ThunderSizzle 3 hours ago | parent [-] | | Whose gonna pay for it? The companies that laid off those people? They'll just continue on without worrying. |
|
|
|
