tools-deps

Martynas Maciulevičius 2023-07-02T20:31:16.346109Z

Hey. Is this relevant to when a package uses a git repository directly? https://news.ycombinator.com/item?id=36556436#36558002

Martynas Maciulevičius 2023-07-03T08:50:33.163519Z

> maybe? is there a clearer explanation somewhere? I don't know. This is the only post that I encountered. I think that the attack is simply that the repository could execute code on behalf of user's account. And this means that it could interact with ~/.bashrc and other important files.

Alex Miller (Clojure team) 2023-07-03T12:01:40.704759Z

No one checks anything about the signed package, just that you uploaded a signature file. A consuming client can verify the jar is signed and check that the publishing identity matches the expected identity, but this is optional (no one does it) and manual (it’s up to you to determine whether the key is the expected key)

Martynas Maciulevičius 2023-07-03T12:03:21.412349Z

> No one checks anything about the signed package, just that you uploaded a signature file. I was not thinking about signed packages. I was only thinking about source dependencies that aren't compiled. You have to use git underneath so this is why I wrote about this.

Alex Miller (Clojure team) 2023-07-02T21:45:14.859789Z

maybe? is there a clearer explanation somewhere?

Alex Miller (Clojure team) 2023-07-02T21:53:40.774319Z

tdeps git libs are bare repositories, but always used in explicit mode, I can't tell if that eliminates the issue or not

Alex Miller (Clojure team) 2023-07-02T22:02:04.830019Z

I'm not sure I fully understand every detail, but it does not seem like tdeps git libs does the things that would be a problem because it never runs command in a sub dir and always uses explicit bare repos

2023-07-02T23:41:53.140159Z

I feel in general you should trust your git deps, they can use prep or as soon as you run your code, they'll be loaded in and can evaluate anyways no. It's still be nice to remove any possible exploit, but I wouldn't consider it safe personally to depend on an untrusted git deps no matter what

2023-07-02T23:43:18.684379Z

That's why I personally find Maven Central the safest. They go out of their way to validate the source and make sure nothing can be hijacked.

Alex Miller (Clojure team) 2023-07-03T01:11:13.975199Z

Do they? They validate that you control the groupId domain somehow. I’m not sure that they validate anything about a repo at all

2023-07-03T05:36:12.148649Z

Sorry, I meant the source of the package, like who published it, they don't validate the source code. But you can be sure that you are getting the authentic package as published by the actual owner, since they have to prove domain ownership, and every file needs to be signed, and the groupId prevents hijacking, etc.

2023-07-03T05:36:30.485059Z

I think Clojars does a bit more validation now as well.