WingNews logo WingNews
top | item 43238388

(no title)

mgolawala | 1 year ago

I think it is worse than that.

I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.

I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.

discuss

order

unclebucknasty|1 year ago

But, truly, what is the solution?

I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.

Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.

unnah|1 year ago

Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.

For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.

Intralexical|1 year ago

Of the 351 malicious repositories in the spreadsheet somebody linked, only 4 have more than 10 stars. None of them have more than 30 stars, and none of them have more than 3 forks. None have more than 5 issues, and only 4 have more than one issue.

You don't have to assume that the code is community-vetted. If a repository has at least a couple hundred stars, lots of forks, and an active pull request cadence, then you know that at least some people have gone digging through it.

If not, then that's when you should break out the sandboxing tools and prepare to check the code yourself. At least it should be easy-ish to automatically check/block everything that has the potential to open a network connection, which defeats most profitable malware models.

consumer451|1 year ago

> But, truly, what is the solution?

Let's use GitHub as an example. We have forks, and stars. Maybe we could also have some kind of build endorsement?

How one would verify that the endorser is worth your trust, I am not entirely sure.

Maybe endorsers could eventually be rated by CVEs found in their endorsements, and that would build trust?

codedokode|1 year ago

You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.

If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.

dcreater|1 year ago

This is a solvable problem thanks to llms