undefined | Better HN

story

0 pointsbpavuk5mo ago0 comments

wait, I short-circuited here. wasn't the very concept of "libraries" created to *not* have to think about what exactly the code does?

imagine reviewing every React update. yes, some do that (Obsidian claims to review every dependency, whether new or an update), but that's due to flaws of the ecosystem.

take a look at Maven Central. it's harder to get into, but that's the price of security. you have to verify the namespace so that no one will publish under e.g. `io.gitlab.bpavuk.` namespace unless they have access to the `bpavuk` GitLab group or user, or `org.jetbrains.` unless they prove the ownership of the jetbrains.com domain.

Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

0 comments

tadfisher5mo ago

> Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

That in itself is scary because Git refs are mutable. Even with compromised credentials, no one can replace artifacts already deployed to Maven Central, because they simply don't allow it. There is nothing stopping someone from replacing a Git tag with one that points to compromised code.

The surface area is smaller because Go does locking via go.sum, but I could certainly see a tired developer regenerating it over the most strenuous of on-screen objections from the go CLI.

fpoling5mo ago

Go also includes a database of known package hashes so altering git tag to point to another commit will be detected.

JodieBenitez5mo ago

I don't know if it's a common or even a good practice, but I like to go mod vendor and add the result to my repo.

bpavukOP5mo ago

I do `cargo vendor` sometimes, but that's mostly to enable offline work and use the debugger inside some vague crates (Rust's libraries-but-not-really), and usually I gitignore the `vendor`'ed crates away.

tapete25mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

Let's say you need a FFT implementation. You can write that from scratch, or you can use a library. In both cases you should use tests to verify that the code calculates the FFT correctly, and in the library case you should read the code to make sure that it works correctly and does not omit and edge cases (e.g.).

zahlman5mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

If you care about security, you only have to care once, during the audit. And you can find a pretty high percentage of malware in practice without actually having a detailed understanding of the non-malicious workings of the code.

Libraries allow you to not think about what the code does at development time, which in general is much more significant than audit time. Also, importantly, they allow you not to have to design and write that part of the code.

Ajedi325mo ago

Are GitHub creds any harder for malware to steal than NPM creds? I don't see how that helps at all.

bpavukOP5mo ago

well, if you talk about private SSH keys for Git operations and SSH/GPG keys for signing, then you'd better set up a passphrase on them, which GitHub strongly recommends. the passphrase will make it significantly harder to use the keys. so, as usual, It Depends (c)

j / k navigate · click thread line to collapse

0 comments

tadfisher5mo ago

> Go is also nice in that regard - you are depending on Git repositories directly, so you have to hijack into the Git repo permissions and spoil the source code there.

The surface area is smaller because Go does locking via go.sum, but I could certainly see a tired developer regenerating it over the most strenuous of on-screen objections from the go CLI.

fpoling5mo ago

Go also includes a database of known package hashes so altering git tag to point to another commit will be detected.

JodieBenitez5mo ago

I don't know if it's a common or even a good practice, but I like to go mod vendor and add the result to my repo.

bpavukOP5mo ago

tapete25mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

zahlman5mo ago

> wasn't the very concept of "libraries" created to not have to think about what exactly the code does?

Ajedi325mo ago

Are GitHub creds any harder for malware to steal than NPM creds? I don't see how that helps at all.

bpavukOP5mo ago

j / k navigate · click thread line to collapse