undefined | Better HN

0 pointslrvick7mo ago0 comments

Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.

0 comments

Sure, but then you need to have a way to whitelist

lrvickOP7mo ago

The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.

j / k navigate · click thread line to collapse

0 pointslrvick7mo ago0 comments

Downloading binaries as part of an installation of a scripting language library should always be assumed to be malicious.

Everything must be provided as source code and any compilation must happen locally.

Sure, but then you need to have a way to whitelist

lrvickOP7mo ago

The whitelist is the package-lock.json of the hashes of libraries you or a security reviewer you trust has reviewed.

j / k navigate · click thread line to collapse