undefined | Better HN

0 pointsseeknotfind2y ago0 comments

As someone off this thread, lol, I hope you have a great weekend too.

Whether it happened or not, it's a reminder of what can happen. Better to learn from mistakes you haven't suffered from so deeply yet. For starters, when in doubt, it doesn't hurt to get rid of the software dependencies you don't need.

For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.

Though the dead weight loss of mutual distrust weighs on us all, shouts echo in the void, so go home and read code, and when the next day knocks its ugly knuckles, tears at least wet dry watchful eyes.

0 comments

ashishbijlani2y ago

> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.

I'm taking a stab at addressing this problem with Packj [1]. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, invalid/expired email (i.e., no 2FA), use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more.

1. https://github.com/ossillate-inc/packj

j / k navigate · click thread line to collapse

0 comments

ashishbijlani2y ago

> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.

1. https://github.com/ossillate-inc/packj

j / k navigate · click thread line to collapse