I hesitate to ask this, becuase I don’t have the technical knowledge to meaningfully participate, but its still seems important.
This article in ArsTechnica talks about malware being slipped into open NPM repositories. Apparently its becoming more common, with similar attacks on RubyGems and PyPi. I think I have seen at least one other mention of another instance somewhere else in the media recently.
I remember in the foundational documents of Qubes, someone (probably Joanna?) pointing out something like, the root of all trust in Qubes is in the OSes they use. For practical reasons, if you follow the chain all the way down, the buck stops there. So if someone busts open the house of Xen or Fedora, well… whatcha gonna you do?
That seems llike a fair point! But now it seems to be - possibly, potentially - happening. (Am I wrong?)
I don’t understand the process well enough and I might be mixing things up, but it does seem to me this is a serious concern to our community. I’ll draw out a quote from the article’s discussion:
Oz7 Ars Scholae Palatinae et Subscriptor
reply Dec 9, 2021 2:02 AM
“People downloading open source packages should take extra care in making sure the item they’re downloading is legitimate and not malware masquerading as something legitimate.”
Would love a long form piece on ars (or insights from the ars crowd) as to how to do this if you’re a small-ish data science team. R’s CRAN seems to be policed well enough, but unclear if Conda or PyPi are to the same degree. Any Python repositories that are as policed as CRAN?
+79 (+79 / 0)
1282 posts | registered 11/17/2012
So two specific questions from this.
as a Qubes user (or any user of any OS, really) how can we “take extra care” when adding bits and pieces onto our system?
how does the Qubes OS team - “a small-ish…team” - check the massive amount of components that go into the Qubes system, a great majority come from open source repositories?
The article talks about paid services (Anaconda is given as an example) that screen their material. Does Qubes have the financial resources for something like this (and what about trust?), and does that need to be discussed? Or is it something that it can and maybe already does itself?
If I have completely misread this situation and its really not a problem, can you tell me why?