package-manager – Page 4 – WindowsTechs.com

Does apt-get enforce cryptographic authentication and integrity validation by default for all packages? (debian, ubuntu)

Posted on March 21, 2021 by Michael Altfield

Does the built-in apt package manager in Debian-based systems require successful cryptographic authentication and integrity validation for all packages?
My understanding was that software downloaded with apt-get packages would be cryptogra… Continue reading Does apt-get enforce cryptographic authentication and integrity validation by default for all packages? (debian, ubuntu)→

Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules

Posted on March 7, 2021 by Paul Ducklin

To this “researcher”, even a job not worth doing was worth overdoing. Here’s what you can learn from the incident… Continue reading Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules→

S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast]

Posted on February 18, 2021 by Paul Ducklin

Latest episode, listen now! (Includes special gardening safety section at no extra charge!) Continue reading S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast]→

How to protect from dependency confusion attacks?

Posted on February 15, 2021 by user158

I recently came across following article
https://www.bleepingcomputer.com/news/security/researcher-hacks-over-35-tech-firms-in-novel-supply-chain-attack/
it describe about an exploit which exploit design flaws of different package managers… Continue reading How to protect from dependency confusion attacks?→

Does npm (Node.js package manager) provide cryptographic authentication and integrity validation?

Posted on January 12, 2021 by Michael Altfield

Does the npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps ask… Continue reading Does npm (Node.js package manager) provide cryptographic authentication and integrity validation?→

Does yarn (Node.js package manager) provide cryptographic authentication and integrity validation?

Posted on January 12, 2021 by Michael Altfield

Does the yarn package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with steps as… Continue reading Does yarn (Node.js package manager) provide cryptographic authentication and integrity validation?→

For package managers like pip, is it a better practice to install packages with the `–user` flag?

Posted on October 24, 2020 by gen

I understand that for most package managers (pip, brew, TeX tlmgr, etc) packages are typically not audited, so there are some inherent security risks in using these package managers. Sometimes the package repositories aren’t trustworthy ei… Continue reading For package managers like pip, is it a better practice to install packages with the `–user` flag?→

Homebrew and NOPASSWD sudo

Posted on August 22, 2020 by HappyFace

I like to be able to run some commands installed via Homebrew without typing my sudo password. The problem is that Homebrew installs everything with user permissions, so if I add the executables to sudo’s NOPASSWD list (via user ALL = (ALL… Continue reading Homebrew and NOPASSWD sudo→

How much damage can a malicious package do with just "npm install <package>"?

Posted on July 1, 2020 by user237586

I had a typo and npm installed something that is similar in name to something very popular — I was concerned about typosquatting. It’s quite plausibly legitimate and just a coincidence. I looked at the corresponding package and didn’t s… Continue reading How much damage can a malicious package do with just "npm install <package>"?→

Does python’s pip provide cryptographic authentication and integrity validation?

Posted on June 6, 2020 by Michael Altfield

Does python’s pip package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with step… Continue reading Does python’s pip provide cryptographic authentication and integrity validation?→