Hacker News new | past | comments | ask | show | jobs | submit login

Unless your package manager enforces signatures and you trust the person that signed the package. Then this is an attack vector for you.

That includes Java (Maven), Ruby (Gems, Bundler), Node (npm), Haskel (stack) etc etc.

Installing code via package managers is the coders equivelant of opening up an exe sent to you in an email.

Code downloaded from the internet is not to be trusted.




Package signing is no silver bullet.

Signing packages helps against typosquatting about as much as SSL certificates help against phishing. Or in other words, not at all, especially if we don't have the certificates rooted in real world identities (like EV SSL certs).


I thought Maven enforces signatures? Though that doesn't fully mitigate the risk as you still have to trust the signer.


Signatures are good, but do not help in this case (typo-squatting)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: