β˜… STMAN β˜… πŸ³οΈβ€πŸŒˆ  

Over 700 Malicious Typosquatted Libraries Found On RubyGems Repository.

thehackernews.com/2020/04/ruby

1
kravietz πŸ¦‡
Follow

@stman

Topic of signed gems seems to have been last raised in... 2013 github.com/rubygems-trust

Β· Β· 2 Β· 0 Β· 1
kravietz πŸ¦‡  

@stman

packages could have PGP signatures like forever (twine --sign), but predictably nobody uses it.

There's an active discussion on PEP 458 to sign packages at pypi (centrally) discuss.python.org/t/pep-458-s

1
Claes Wallin πŸ‡ΈπŸ‡ͺπŸ‡­πŸ‡°  
@kravietz @stman At least pip allows hashing packages, but that doesn't really help against typo squatting.
1
kravietz πŸ¦‡  

@clacke @stman

Correct. And PyPi.org does ensure unique package names but then it doesn't really help - I've just spend half hour debugging an issue caused by the fact I installed "yara" package while the one I wanted is called "yara-python" πŸ€¦β€β™‚οΈ

1
Claes Wallin πŸ‡ΈπŸ‡ͺπŸ‡­πŸ‡°  
@kravietz @stman Not sure how signed packages help against typosquatting either, though. Would you have known that one author rather than the other was behind yara-python? What keys do you accept?
1
kravietz πŸ¦‡  

@clacke @stman

Sorry if I was unclear, but that's exactly what I meant... They don't.

What does help is some kind of reputation measurements in the first place (likes, downloads, "verified suppliers") and only then digital signatures to prevent spoofing.

0
kravietz πŸ¦‡  

@stman For signed packages were last discussed like in 2018 medium.com/@hq/introducing-pkg

0
Sign in to participate in the conversation
Mastodon πŸ” privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!

Resources

Developers

What is Mastodon?

social.privacytools.io

More…