upvote

points

by dist-epoch9 hours ago |
comments
upvoteby themafia9 hours ago|
[-]
> they can also infect the package source code itself

Which is where the concept of "safe levels" come in. I should be able to install this module in such a way where file operations and process operations are not available to it. That being said, presumably, this types of infiltration would seem to be _much_ easier to spot. "Why is this web framework calling 'spawn'?"

> I just want a .zip with the binaries

I want a .zip with the _code_. Just the code. None of the packaging nonsense. My distribution can handle that.

reply
upvoteby ashishb5 hours ago|
parent|
next
[-]
> I should be able to install this module in such a way where file operations and process operations are not available to it.

That's the definition of a sandbox, isn't it?

reply
upvoteby dist-epoch9 hours ago|
parent|
prev|
[-]
do you really think you will see a clear "spawn" call? there is a long history of obfuscating what the code does to hide backdoors, in quite ingenious ways

> I should be able to install this module in such a way where file operations and process operations are not available to i

technically browser sandboxes, WASM, do this. but then you are very limited since you can only sandbox the whole app, and not one module, so if you need local file access, you need to open it up to the whole app and all it's modules

reply