Hacker News new | past | comments | ask | show | jobs | submit login

Something I've been waiting to see from language package managers is more attention paid to security. I believe both cargo and pip packages can run arbitrary code as the local user the instant they are installed, and malicious packages have existed in the wild for years. I also recall a blog post where someone was scanning PyPI for malicious Python packages, only to realize that `pip download` also executed code.

Just downloading a library to a local source code directory should not cause arbitrary code to run on your system, and there should be safeguards in place so developers are not one typo away from a malicious package pwning their entire system. Supply chain attacks remain a huge area of concern.

Instead, when I "ctrl+f security" the homepages of any of these new packaging systems, I get 0 results. Not good.




> I also recall a blog post where someone was scanning PyPI for malicious Python packages, only to realize that `pip download` also executed code.

I think you're thinking of this post[1]. The code being searched for wasn't malicious, just buggy :-)

[1]: https://moyix.blogspot.com/2022/09/someones-been-messing-wit...


Thanks, that's the one! I was actually just trying to find it.

Heh, I forgot about the anime catgirl part.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: