[GTALUG] security threats of Open Source
Dhaval Giani
dhaval.giani at gmail.com
Fri Jan 24 00:13:02 EST 2020
Hugh,
On Thu, Jan 23, 2020 at 11:08 AM D. Hugh Redelmeier via talk <
talk at gtalug.org> wrote:
> <
> https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/
> >
>
> This article list six cases of malware contributed to npm (the repo for
> sharing node.js and JavaScript source).
>
> How many undetected cases exist?
>
> I've alway pretended that Linux distros vet their code.
They do, but npm is different. npm is indepdent of the distro itself. And
people want to use npm because it gives them the latest and the greatest.
> I'm not sure how
> true that is. Probably the greatest protection is the time delay between
> contribution and distribution.
>
>
I would be wary of this approach. There are a bunch of security fixes,
where you probably don't want too long a delay. Part of responsibility also
lies on the user to validate the update. With it being open source, and a
"volunteer" model, some of that has to be accepted b the user.
Dhaval
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20200123/fc1fe2df/attachment.html>
More information about the talk
mailing list