Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mixedbit 8 hours ago

An extension from a trusted, non anonymous developer which is released as open source is a good signal that the extension can be trusted. But keep in mind that distribution channels for browser extensions, similarly to distribution channels for most other open source packages (pip, npm, rpm), do not provide any guarantee that the package you install and run is actually build verbatim from the code which is open sourced.

jakub_g 8 hours ago | parent | next [-]

Actually, npm supports "provenance" and as it eliminated long lived access tokens for publishing, it encourages people to use "trusted publishing" which over time should make majority of packages be auto-provenance-vefified.

https://docs.npmjs.com/trusted-publishers#automatic-provenan...

btown 3 hours ago | parent | next [-]

Unless the Chrome web store integrates with this, it puts the onus on users to continuously scan extension updates for hash mismatches with the public extension builds, which isn’t standardized. And even then this would be after an update is unpacked, which may not run in time to prevent initial execution. Nor does it prevent a supply chain attack on the code running in the GitHub Action for the build, especially if dependencies aren’t pinned. There’s no free lunch here.

smithza 5 hours ago | parent | prev | next [-]

key word "encourages"

when someone uses `npm install/add/whatever-verb` does it default to only using trusted publishing sources? and the dependency graph?

either 100% enforcement or it won't stick and these attack vulnerabilities are still there.

elashri 7 hours ago | parent | prev [-]

pypi also added this last year [1] and encouraging people to use trusted publishing as well.

[1] https://docs.pypi.org/trusted-publishers/

m4rtink 7 hours ago | parent | prev [-]

If the RPM/deb comes from a Linux distribution then there is a good chance there is a separate maintainer and the binary package is always built from the source code by the distro.

Also if the upstream developer goes malicious there is a good chance at least one of the distro maintainers will notice and both prevent the bad source code being built for the distro & notify others.

pocksuppet 5 hours ago | parent [-]

Browser extensions come from the Chrome/Firefox addon store, though and not through distros.