Every package install is checked against the threat feed and it raises an exception ...

ozim • today at 7:13 AM • 2 replies • view on HN

  Every package install is checked against the threat feed and it raises an exception if we find something malicious being installed

Ok big problem is lots of stuff installed for campaigns wasn't flagged in any feed. If maintainer access is taken over you still don't have any feed info, maybe it will be a bit faster to publish so if maintainer finds out.

Everyone is looking at NPM how bad it is or AUR lately. Those are "free for all anything can happen, any kid can publish" repositories and that's what you get.

No one looks at Debian and is saying "well maybe we should do what they do"...

Replies

captn3m0 • today at 7:30 AM

Author here - people are definitely looking at other places. This just happens to be where the attacks are, and gets disproportionate attention as a result.

Do you have examples of campaigns that weren’t flagged? Everything except xz had a 1 day window and Dependency Cooldowns are super effective against most campaigns for that reason.

See papers at https://kokkonisd.github.io/ for eg.

PunchyHamster • today at 8:30 AM

> No one looks at Debian and is saying "well maybe we should do what they do"...

You mean that having mature community with maintainers checking subscriptions and a "testing" channel where stuff only lands after few weeks of no problems is useful ? Who could possibly imagine!?

Industry's gonna NIH

> Ok big problem is lots of stuff installed for campaigns wasn't flagged in any feed. If maintainer access is taken over you still don't have any feed info, maybe it will be a bit faster to publish so if maintainer finds out.

Technically at the very least company could throw their feed to AI and at least get some automated screening on the changes between versions

➕ show 1 reply

alt Hacker News

Replies