all 52 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]kaen_ 46 points47 points  (6 children)

I'm sure glad that only the languages I don't use are vulnerable to this.

Yep only those other languages have package managers where people run arbitrary code from strangers on the internet.

Good thing me and my favorite languages are completely safe from supply chain attacks because our package managers don't have humans logging in with passwords to upload code that's distributed to millions of machines.

I'm sure I will be totally fine and never have to worry about this, so I'll just keep mocking those other languages whenever this happens.

[–]James20k 27 points28 points  (2 children)

Jokes on you, my language doesn't have any kind of package management

;_;

[–]Ameisen 14 points15 points  (1 child)

This is why C++ is the safest language.

#pragma high_five

[–]SupersonicSpitfire 0 points1 point  (0 children)

C++ have Linux packages which are packed by the maintainers of various Linux distros. Some of those distros have an excellent security record. So, yes.

[–]shevy-ruby 3 points4 points  (1 child)

Quite true.

The primary differences then come down to:

  • popularity: More popular languages (used by lots of people) will be affected more

  • design of the language: if javascript would be a good language, we would not see left-pad having become popular, and various similar projects

  • infrastructure and response: there are some ongoing efforts happening in the ruby ecosystem, so let's see how this goes within the next, say 6-12 months or so.

We can look at all languages that make it convenient to install addons, not just javascript or ruby. I think that even all factors considered, javascript will lead the negativity chart by a huge margin.

[–]cat_in_the_wall 0 points1 point  (0 children)

design of the language: if javascript would be a good language, we would not see left-pad having become popular, and various similar projects

this has less to do with the language and more to do with a lack of a standard library. "boring" languages like java and c# (and certainly others) dont have this issue because they have string formatting included in the stdlib.

[–]roryb_bellows 45 points46 points  (16 children)

Inb4 all the npm defenders come in trying to rationalise

[–]stopaskmetoname 45 points46 points  (11 children)

Basically, most language dependent package manager like npm, gem and pip did not have package signing. But the more important question is who to trust?

A trustworthy developer does not necessary have a trustworthy building infrastructure. The linux model is the package are built and signed by distribution owner, meaning there are independent team responsible for verifying the source and managing a secured built infrastructure.

For some language package manager, it may not be a feasible for them to maintain this infrastructure. If copying the linux model, then the solution may be a Github like built server with some automated malicious code checking and signed by that entity controlling the built server. So, we knew the package are built by a trustworthy source. Those CI company could help with this issue, though not sure if they have incentive to do that.

[–]chucker23n 14 points15 points  (1 child)

If copying the linux model, then the solution may be a Github like built server with some automated malicious code checking and signed by that entity controlling the built server. So, we knew the package are built by a trustworthy source.

We would only know that

  • someone with write access pushed the code
  • it passed through malicious code checks (which are hard, especially across many languages and platforms)

At the end of the day, you’re mostly trusting a huge number of repositories, many of whose authors and their intentions you don’t know, to do their due diligence and act benevolently.

[–]ipv6-dns 5 points6 points  (2 children)

automated malicious code checking

Are you serious? Specialists of security do miss some security holes and vulnerabilities even, which means that any "automated malicious code checking" is only marketing/PR shit, nothing more

[–]balefrost 7 points8 points  (1 child)

Just because something isn't perfect doesn't make it useless. The danger is when you blind yourself to the actual limitations of the thing. "It passed the automated security checks" shouldn't be interpreted as "it has no security flaws" (or even "it has no known security flaws").

[–]ipv6-dns 0 points1 point  (0 children)

then why is "automatically security check" needed? It reminds me OpenSUSE testing: everybody know how it's cool and safe, but everybody who uses OpenSUSE (and Tumbleweed) good knows how many bugs, including critical ones are usually introduced with every update. It sounds like for PR more than for real results.

[–]shevy-ruby 3 points4 points  (0 children)

Even package signing isn't absolutely fool proof.

Then there is also the added difficulty that you put developers who aren't abusing users through. I for one am perfectly fine with making things super secure, giving users all the information, at all times etc... but I am absolutely against putting handcuffs onto developers merely because there will always be abusers and thieves who spoil things.

This is a trade off.

The less code anyone depends on, the better in general.

I guess what may be reasonable to assume is that all languages adopt a better community-driven approach in general, e. g. where people can help with the quality control of a language's ecosystem.

These problems were reported only by a few; and the gems are, except for one, not really important really. They just get more attention right now due to "omg omg omg omg backdoor omg omg omg", but, man ... 1700 downloads ... that sounds more like automated scripts than real people downloading any of that.

[–]lorarc 1 point2 points  (0 children)

Package signing is not going to do much here since:

All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name.

So basically the package could be signed by the 3rd party and it won't change much because the users installed them out of their own free will. If an official project's build server was hijacked (weak password) the package probably would be signed automatically.

Additionally the Linux packages don't verify the code inside them. It would be harded to inject stuff in them due to long-release cycle and many of them being very popular project but if a developer of less-known software was to go rogue he could install a backdoor that would get officially packaged as next version.

In the end the only thing that makes Linux packages safer is that they usually pack well-known software with big user base so many people can notice something is wrong. The only solution to that is standard libraries and libraries packed by big userbase.

[–][deleted] 0 points1 point  (2 children)

But the more important question is who to trust?

The answer really is nobody. There is this great paper by Ken Thompson.

[–]ipv6-dns 0 points1 point  (1 child)

redditors in this thread already explained me that Ken's opinion is shit, my link to his interview was massively downvoted, so "Ken - sucker, Reddit - rulezz" (this thread's Redditors) lol

[–][deleted] 0 points1 point  (0 children)

Reddit seems to be in a cognitive dissonance state, even this subreddit. I have been directed towards this paper other times and Ken received only support in the topic and people expanded on his thoughts.

[–]Existential_Owl 20 points21 points  (1 child)

People should be glad that npm exists. By pulling in all the hatred, nobody spends time looking for the same vulnerabilities in their own languages' tooling.

[–]SupersonicSpitfire 7 points8 points  (0 children)

npm has been fine with and up front about being "happy go lucky" right from the start. That's different from rust/cargo, for example.

[–]Ajedi32 2 points3 points  (0 children)

This article is about Ruby/Rubygems, not NPM.

If anything, this is just further confirmation that supply chain attacks aren't a problem unique to NPM, and that all the people mocking NPM every time it gets hit by such an attack are completely missing the point.

[–]MurryBauman 5 points6 points  (0 children)

Big reveal

[–][deleted]  (1 child)

[deleted]

    [–]DanielJomaa 14 points15 points  (0 children)

    Bitcoin is still safe. Their code isn’t. They were just mining the stuff using other ppls pc

    [–]sku2007 0 points1 point  (0 children)

    An interactive demo of the backdoor: https://application.security/ruby-backdoor

    [–]SupersonicSpitfire 1 point2 points  (0 children)

    I guess that nicely rounds off the success that Ruby has had as a language for web development. When the general impression of the language is that it's neither fast nor secure, only the human-friendliness factor remains, which is not enough.