upvote

points

by ImPostingOnHN3 hours ago |
comments
upvoteby bandrami3 hours ago|
next
[-]
That's why we don't let the developers run system package manager install scripts as root. We do let them run npm inside containers, which is still more access than I'd like them to have.
reply
upvoteby icedchai1 hours ago|
parent|
[-]
Is this one of those places where it takes 6 to 12 weeks to get something new installed on your machine?
reply
upvoteby bandrami1 hours ago|
parent|
[-]
You mean directly on the machine? Not in a container? That would be a recklessly fast timeline. The configuration control board meets quarterly and it usually takes 4 or 5 meetings to clear a piece of software.
reply
upvoteby icedchai1 hours ago|
parent|
[-]
Interesting. How about in a container? What industry is this, just curious?
reply
upvoteby bandrami1 hours ago|
parent|
[-]
Defense. Containers on our normal network are the wild west, but anything that touches the secure network has to be signed off on by the clients.
reply
upvoteby jdiff3 hours ago|
prev|
next
[-]
Most package managers with postinstall scripts are also heavily curated and have reputation systems. As you say, they run as root, so the high trust requirement is definitely warranted. Anyone can upload an npm package.
reply
upvoteby 2 hours ago|
parent|
[-]
deleted
reply
upvoteby skydhash3 hours ago|
prev|
next
[-]
I think it’s just a bundle of issues. Deep graph of dependencies, distribution of minimized code (java has jars, but I don’t remember scripts), and nearly impossible to audit. With most projects in other ecosytems, you only have to interact with a few developer/orgs. But with npm, you add one library and you need to essentially trust 10s of entities on the internet.
reply
upvoteby TylerE3 hours ago|
prev|
[-]
Nearly every package manager I've ever used had post-install scripts.

You're collapsing two different threat models. The risk isn't that code runs, it's WHEN it runs. This worm spreads because npm install runs arbitrary scripts as you, automatically, just from resolving the tree. You don't have to build it, run it, or even import it. Opening the project in an IDE is enough. apt/dnf scripts run on packages a maintainer signed and a distro gatekept. Not on whatever some rando pushed to a public scope 20 minutes ago that landed in your lockfile six levels deep. "They both technically execute code" is true and beside the point. One runs signed code from a trusted path, the other runs unsigned code from the default automated path. That's the whole ballgame.

reply
upvoteby ImPostingOnHN3 hours ago|
parent|
next
[-]
> You're collapsing two different threat models. The risk isn't that code runs, it's WHEN it runs.

> You don't have to build it, run it, or even import it

If you just installed something with npm, chances are you'll be running it shortly, either as a tool or a library, probably minutes or seconds later. I imagine the use case of installing an npm package you don't plan on using or transitively importing, constitute a small portion of npm installs.

reply
upvoteby ChocolateGod2 hours ago|
parent|
prev|
[-]
> apt/dnf scripts run on packages a maintainer signed and a distro gatekept

Unfortunately apt/dnf isn't much better here because random tutorials online suggest people add random repositories where the creator of any repository effectively has root access to anyone machine that adds it as a remote.

reply
upvoteby orphea2 hours ago|
parent|
next
[-]
Don't add random repositories from random tutorials? Come on, it's basic Internet hygiene. Entirely different thing.
reply
upvoteby 2 hours ago|
parent|
[-]
deleted
reply
upvoteby Zardoz841 hours ago|
parent|
prev|
[-]
It's the exact same problem when random tutorials (and official pages) recommend to do a curl "URL" | bash to install something. Every time that I see it, I look it suspicious.
reply