Thread overview
A potential danger to dub
Sep 22
Matt
September 16
Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.

You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.

[1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
September 20
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

We have the strength of being a mostly unknown language, but it still sounds scary.

I usually download all the stuff, and only use dub to compile the libraries, then mostly rely on the IDE's build system, and wrote a PowerShell script to recompile the libraries I use in case if I update the compiler.
September 22
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

maybe we should have an option to add a hash with the package version, to be able to check the integrity of the code that it's downloaded?
September 22
On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

The main vector of attack was slightly misnamed popular packages. That can be solved by adding checksums and adding some sort of "certified real repo" badge systems to the package manager.