this post was submitted on 30 Mar 2024
1574 points (97.7% liked)

linuxmemes

20484 readers
950 users here now

I use Arch btw

Sister communities:

Community rules

  1. Follow the site-wide rules and code of conduct
  2. Be civil
  3. Post Linux-related content
  4. No recent reposts

Please report posts and comments that break these rules!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
1574
Backdoors (lemmy.ml)
submitted 4 months ago by [email protected] to c/[email protected]
115 comments fedilink hide all child comments
 

https://wetdry.world/@cyrus/112186279067271067

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 170 points 4 months ago (25 children)

I've gotten back into tinkering on a little Rust game project, it has about a dozen dependencies on various math and gamedev libraries. When I go to build (just like with npm in my JavaScript projects) cargo needs to download and build just over 200 projects. 3 of them build and run "install scripts" which are just also rust programs. I know this because my anti-virus flagged each of them and I had to allow them through so my little roguelike would build.

Like, what are we even suppose to tell "normal people" about security? "Yeah, don't download files from people you don't trust and never run executables from the web. How do I install this programming utility? Blindly run code from over 300 people and hope none of them wanted to sneak something malicious in there."

I don't want to go back to the days of hand chisling every routine into bare silicon by hand, but i feel l like there must be a better system we just haven't devised yet.

[–] [email protected] 18 points 4 months ago* (last edited 4 months ago) (1 children)

It's a really wicked problem to be sure. There is work underway in a bunch of places around different approaches to this; take a look at SBoM (software bill-of-materials) and reproducible builds. Doesn't totally address the trust issue (the malicious xz releases had good gpg signatures from a trusted contributor), but makes it easier to spot binary tampering.

[–] [email protected] 11 points 4 months ago* (last edited 4 months ago)

+1

Shameless plug to the OSS Review Toolkit project (https://oss-review-toolkit.org/ort/) which analyze your package manager, build a dependency tree and generates a SBOM for you. It can also check for vulnerabilitiea with the help of VulnerableCode.

It is mainly aimed at OSS Compliance though.

(I am a contributor)

load more comments (23 replies)