undefined | Better HN

0 pointsintertextuality7y ago0 comments

Those attack vectors you mentioned are already known, and we essentially have to live with them. When it comes to "reflecting on trusting trust", we already know that it's basically impossible.

However, this does not mean we should by default be installing heaps of packages upon generating new packages. This is practically begging for a security exploit, particularly the JS packages.

[0]: https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...

0 comments

1 comments · 1 top-level

ChrisCinelli7y ago

I am not sure why the npm packages in yarn should be more exploitable than Linux.

- Linux is more ubiquitous than Node.js. If somebody exploits Linux, they get at least one order of magnitude more machines. So there is a higher motivation.

- Funny code in C is harder to spot than in Javascript. Furthermore ...

- A binary is harder to inspect than any module written in Javascript (even if minified).

- The code in the Linux default installation has at least 2 orders of magnitudes of the code that yarn installs.

I was very conservative in my estimations.

Considering these kind of attacks, Linux seems more likely to be already exploited by a few organizations in multiple ways.

We have been trusting too much. As more code gets written and many more people come to learn to program, the number of supply chain attacks will increase. And at the same time, as the security know-how is easier to be accessed on the Internet, we will get smarter exploiters capable of hiding their wrong doing.

j / k navigate · click thread line to collapse