[TriLUG] Open source presentation frameworks?
Igor Partola
igor at igorpartola.com
Wed Jul 31 11:36:27 EDT 2013
It's worse than that. Both Python's easy_install/pip and Ruby Gems system
are insanely insecure. Anyone can publish packages on PyPI with any package
name/description they want; there is no review like you get with the distro
packages. Once you have a popular package on there, you can turn evil and
include an exploit. Moreover, easy_install/pip run the Python egg's
setup.py which can run arbitrary code on your system in order to perform
the install. This is even worse than just checking out a library from
GitHub/BitBucket and including it in your project since at least then you
get a chance to review the code on your machine before running it.
Also, until recently PyPI was not properly set up for HTTPS and all
downloads were done over HTTP with no signature verification. Basically,
this is a giant attack vector.
The big reason for this is that since anyone can publish packages (by
design), the problem of building trust becomes very complex and the problem
is open-ended. Here's a great recent discussion on the subject:
https://news.ycombinator.com/item?id=6094486
Igor
On Wed, Jul 31, 2013 at 11:25 AM, porter <porter at trilug.org> wrote:
>
> So one extra step regardless of distro:
>> sudo easy_install pip
>> Then
>> sudo pip install landslide
>>
>
> I've noticed recently a trend where I look up how to install some
> new package, and they say "it's easy, just one line!".
>
> $ someInstallerIveNeverHeardOf install thePackage
>
> Then comes the secondary problem... what did that actually do?
>
More information about the TriLUG
mailing list