Collaborate Disseminate
Snap is yet another package manager for Linux that makes it possible to install applications not found in many apt repositories. Find out how to use Snap to keep your software up to date.
The post How to keep Snap packages up to date and take control o… Continue reading How to keep Snap packages up to date and take control of when you run the refresh command
Although the APT package manager is a simple and effective command-line tool for installing, updating, and removing software, it does have its weaknesses. Nala is here to improve on that.
The post Nala is a much cleaner, neater alternative for the APT … Continue reading Nala is a much cleaner, neater alternative for the APT package manager
The risks of supply chain attacks on software libraries is well documented, however, I have not seen much on OS packages/dependencies. How important is it to both 1) pin OS dependencies (apt,rpm,etc.) and 2) host them in private repositori… Continue reading Supply chain risks for OS packages
Does Firefox’s built-in installer for addons/extensions validate its payload’s authentication and integrity for all files it downloads before actually installing them?
I avoid in-app updates because, more often than not, developers do not … Continue reading Does Firefox’s addon/extension installer provide cryptographic authentication and integrity validation?
I have a Node.js app which has a lot of npm-dependencies, running on Linux (Centos) machine.
When Node starts, the script has access to the files outside its directory (as least by default), so malicious npm-package could traverse a direct… Continue reading Restrict node.js filesystem access
I have a server that runs Ubuntu Server 20.04 LTS. This version of nginx provided by the official repository is 1.18.0, which in turn is vulnerable to CVE-2021-23017. However, the changelog says that the version provided by the Ubuntu repo… Continue reading How to check if a certain vulnerability has been fixed with a backport? [migrated]
Looking to create a form where developers can submit requests for packages to be installed. We want to create a list of questions that can help us determine whether or not a package is safe. What are some important questions to include in … Continue reading How to vet third-party developer packages
Another question (Is it possible to block non-PyPI requests during pip install?) asked about locking down non-PyPI pip installs for security reasons. This doesn’t deal with the problem of malicious packages within PyPI itself. So, I woul… Continue reading How do you lock down PyPI access?
flatkill has been floating around for a while, and honestly it was the reason I was personally resistant to using flatpak packages for a while.
I’m wondering though, most of the article is written from the perspective that you are installi… Continue reading what are the risk associated with installing flatpaks at user level
flatkill has been floating around for a while, and honestly it was the reason I was personally resistant to using flatpak packages for a while.
I’m wondering though, most of the article is written from the perspective that you are installi… Continue reading what are the risk associated with installing flatpaks at user level