undefined | Better HN

0 pointsNathanKP4y ago0 comments

Yeah I really wouldn't want to use anything that dynamically pulls a package from PyPI at runtime, because I don't trust this guy not to add a vulnerability to the code at a later point in time.

0 comments

pas4y ago

Okay, so ... I know someone might, but really who will audit any of his existing code?

(Sure, that's slightly different than identifying such an auto-update point and then trying to do a supply-chain attack. But do maintainers look at what they package? In how much detail?)

NathanKPOP4y ago

That's the point of packaging it... you review it at the time that you package it, and then you review it each time you update it in the future. Should always do a simple diff at minimum to see what changed. That's just part of being a responsible open source user.

xyzzyz4y ago

> Should always do a simple diff at minimum to see what changed. That's just part of being a responsible open source user.

Nobody does this, as this is completely unreasonable thing to expect.

1 more reply

jsmith454y ago

Home Assistant's core developers really do look at the intergration plugins rather closely before they accept any pull request that updates the dependencies. This is needed as badly coded integration libraries really can negatively impact the stability and performance of the whole system.

It is not uncommon to see them request changes to the bumped library to fix any issues they have noticed.

j / k navigate · click thread line to collapse