Hey. Is this relevant to when a package uses a git repository directly? https://news.ycombinator.com/item?id=36556436#36558002
> maybe? is there a clearer explanation somewhere?
I don't know. This is the only post that I encountered.
I think that the attack is simply that the repository could execute code on behalf of user's account. And this means that it could interact with ~/.bashrc and other important files.
No one checks anything about the signed package, just that you uploaded a signature file. A consuming client can verify the jar is signed and check that the publishing identity matches the expected identity, but this is optional (no one does it) and manual (it’s up to you to determine whether the key is the expected key)
> No one checks anything about the signed package, just that you uploaded a signature file. I was not thinking about signed packages. I was only thinking about source dependencies that aren't compiled. You have to use git underneath so this is why I wrote about this.
maybe? is there a clearer explanation somewhere?
tdeps git libs are bare repositories, but always used in explicit mode, I can't tell if that eliminates the issue or not
I'm not sure I fully understand every detail, but it does not seem like tdeps git libs does the things that would be a problem because it never runs command in a sub dir and always uses explicit bare repos
I feel in general you should trust your git deps, they can use prep or as soon as you run your code, they'll be loaded in and can evaluate anyways no. It's still be nice to remove any possible exploit, but I wouldn't consider it safe personally to depend on an untrusted git deps no matter what
That's why I personally find Maven Central the safest. They go out of their way to validate the source and make sure nothing can be hijacked.
Do they? They validate that you control the groupId domain somehow. I’m not sure that they validate anything about a repo at all
Sorry, I meant the source of the package, like who published it, they don't validate the source code. But you can be sure that you are getting the authentic package as published by the actual owner, since they have to prove domain ownership, and every file needs to be signed, and the groupId prevents hijacking, etc.
I think Clojars does a bit more validation now as well.