[erlang-questions] rebar3 dependencies
Loïc Hoguin
essen@REDACTED
Wed Mar 23 14:19:51 CET 2016
On 03/23/2016 02:00 PM, Roberto Ostinelli wrote:
> On Wed, Mar 23, 2016 at 1:56 PM, Loïc Hoguin <essen@REDACTED
> <mailto:essen@REDACTED>> wrote:
>
> Of course this can happen with hex.pm <http://hex.pm>. :-)
>
> https://hex.pm/docs/codeofconduct
>
> Data published to Hex is hosted at the discretion
> of the Hex team, and may be removed.
>
> It can also happen to github, gitlab, bitbucket, and any other
> repository of code that allows removal.
>
>
> Indeed, but let me be more less cryptic on what I was referring to: what
> I find more dangerous in this npm story is that:
>
> "[...] the global names used by the removed packages are available for
> anyone to register and replace with any code they wish.The fact that
> this is possible with NPM seems really dangerous. The author unpublished
> (erm, "liberated") over 250 NPM modules, making those global names (e.g.
> "map", "alert", "iframe", "subscription", etc) available for anyone to
> register and replace with any code they wish. Since these libs are now
> baked into various package.json configuration files (some with 10s of
> thousands of installs per month, "left-pad" with 2.5M/month), meaning a
> malicious actor could publish a new patch version bump (for every major
> and minor version combination) of these libs and ship whatever they want
> to future npm builds." [1].
>
> I just don't know if hex.pm <http://hex.pm> does some checksum of code,
> which would impeded for this to happen.
Don't know about hex, but this particular problem doesn't exist when you
refer to git commits directly.
Just saying. :-)
--
Loïc Hoguin
http://ninenines.eu
Author of The Erlanger Playbook,
A book about software development using Erlang
More information about the erlang-questions
mailing list