This post is an expansion of what I wrote on r/archlinux as a proposal for AUR helpers. It is a call for every package manager to add support for global hooks. The packaging ecosystems that we all rely on have been under constant attacks. The most interesting countermeasures currently are: Dependency Cooldowns, and Dependency Policies. A third interesting one is Homebrew’s cooldown which is a 1 day wait before they automatically bump a package from Python/NPM ecosystems. In addition, almost every security vendor now has a package management “firewall” offering (Socket, Datadog, Safedep for eg). The various ways this can work is: Registry mode, where you can point your package manager at a local registry and it proxies requests, blocking access wherever it deems fit. Shell wrapper, where you alias your package manager and it intercepts your commands. Shell aliases are a very weak security boundary. MITM mode, where you configure it as a HTTPS Proxy and it intercepts your network…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.