[GTALUG] security threats of Open Source
D. Hugh Redelmeier
hugh at mimosa.com
Thu Jan 23 14:08:30 EST 2020
<https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/>
This article list six cases of malware contributed to npm (the repo for
sharing node.js and JavaScript source).
How many undetected cases exist?
I've alway pretended that Linux distros vet their code. I'm not sure how
true that is. Probably the greatest protection is the time delay between
contribution and distribution.
I wonder what can be done about this problem. I've said so at our
meetings a few times too.
Of course the problem is worse with closed source: it is impossible to
audit the source. But closed source might have fewer contributors and
more supervision. Of course much closed soure is built on top of open
source and thuse all its weakness
More information about the talk
mailing list