alt Hacker NewsPackage Managers need global hooks
Comments
This sounds like a prime new vector for malware, ironically.
This is the opposite of "do one thing and do it well" unix philosophy.
You don't need your package manager to invoke your hook. You need _your_ tooling to invoke your hook.
./safely-bump-deps.sh && npm install
Want it global? Use a bash alias.
System package managers (at least apt & portage) have a whole bunch of hooks. I guess this is talking about language package managers.
TFA is also a bit hazy on what hooks exactly?
1. There are 5 competing standards.
2. This is clearly unacceptable, so we've created the one standard to unite them all™.
3. There are 6 competing standards.
This seems to be primarily a problem with NPM, since it's the only package manager that I know of that allows for package authors to essentially run arbitrary post-install scripts silently package install.
Shai Hulud/Mini Shai Hulud happened because of this obvious glaring hole in the system, they even had the script to download an official copy of Bun to spread itself in case the targeted machine has hardened their security. So, the real question is not what other security features does a package manager need, it should be: why does a package manager have the ability to let package authors run arbitrary scripts silently on other people's computer in the first place?
It doesn't really matter how good your security system is if the front door is left wide open for anyone to walk through.
>Every package install is checked against the threat feed and it raises an exception if we find something malicious being installed.
So your solution is to reinvent signature based antiviruses, like Norton Antivirus and McAffee?
The problem with these 2000s approaches were that attackers could:
1- Fuzz their payloads so that they are never the same and they don't trigger detection.
2- Offload payload mechanisms so that your monitoring system needs to play cat and mouse. For example, what if the malicious code does wget https://IP/file, will you detect wget commands? Will you scan for whatever looks like a URL? Ok, what if they do "another_package_manager_like_flatpack malicious_package", will your scanner implement all package managers? What if they construct the url? "protocol + "://" + domain + file" surely your global hook thing will notice that is a url and how it is downloaded and inspect those contents as well?
3- The attacker can control the timing and infect every user at the same time, especially if they control the update mechanism of users whose security policy is to keep things patched. Even if the malicious update is not simultaneous, the malicious update can start distribution, and the attack only triggered months later (simultaneously) when enough users have downloaded it (beating latency policies).
The only solution is to do actual work and either write the thing you are trying to offload to the 'open source community, or to actually write it yourself. But of course more work is going to be put into the possibility of a magical easy solution, than on an deteriministic hard solution.
Everyone is looking at NPM how bad it is or AUR lately. Those are "free for all anything can happen, any kid can publish" repositories and that's what you get.
No one looks at Debian and is saying "well maybe we should do what they do"...