Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.

You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.

[1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

We have the strength of being a mostly unknown language, but it still sounds scary.

I usually download all the stuff, and only use dub to compile the libraries, then mostly rely on the IDE's build system, and wrote a PowerShell script to recompile the libraries I use in case if I update the compiler.

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

maybe we should have an option to add a hash with the package version, to be able to check the integrity of the code that it's downloaded?

On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi wrote:
> Let me preface this by saying I love package managers and think dub is one of the best things with dlang. However they can also sometimes be dangerous, as this PyPI incident[1] shows: several Python packages were uploaded that contained names similar to the standard library, and had an extra semi-malicious payload. They are apparently now part of live software.
>
> You could of course expect developers to do due diligence with the things they download, but of course they don't. It's probably worth paying attention to what the PyPI devs do to help mitigate this, and perhaps repeat some of those things with dub.
>
> [1] https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

The main vector of attack was slightly misnamed popular packages. That can be solved by adding checksums and adding some sort of "certified real repo" badge systems to the package manager.

On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
>> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/

Not sure why this old post reappears in the index, but please be aware that the above article links to a site that sends you to random malicious websites.

It is from a link in the sentence «Results published here showed the packages were downloaded almost 7,000 over a two-day period.». So don't got there...

On Wednesday, 9 October 2019 at 12:47:27 UTC, Ola Fosheim Grøstad wrote:
> On Friday, 22 September 2017 at 23:36:37 UTC, Matt wrote:
>>> https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
>
> Not sure why this old post reappears in the index, but please be aware that the above article links to a site that sends you to random malicious websites.
>
> It is from a link in the sentence «Results published here showed the packages were downloaded almost 7,000 over a two-day period.». So don't got there...

Thanks for the information.