[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client.
|
From: |
Maxime Devos |
|
Subject: |
[bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client. |
|
Date: |
Mon, 07 Feb 2022 20:30:04 +0100 |
|
User-agent: |
Evolution 3.38.3-1 |
Reily Siegel schreef op ma 07-02-2022 om 13:06 [-0500]:
> This code is taken directly from Maven, as are many Java packages. This
> relies on whatever authentication Maven does to ensure packages are not
> forgeries.
I took a look at <https://maven.apache.org> and AFAICT Maven does not
have any process in place to prevent forgeries or malicious code;
there does not appear to be any vetting process, though perhaps
I haven't looked far enough.
A web page from cognitect telling ‘grab source code from Maven
(com/cognitect/http-client)’, combined with going over the source
code to sniff things like ’Send ~/.gnupg to evil.com’ should be
sufficient.
For the damage the absence of a vetting process can do,
see e.g. <https://lwn.net/Articles/694830/>. The same issue
appears to hold for PyPI, RubyGems and npm.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part
[bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client., Maxime Devos, 2022/02/07
[bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client., Maxime Devos, 2022/02/07
[bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client., Maxime Devos, 2022/02/07
[bug#53765] [PATCH 11/17] gnu: Add clojure-core-async., Reily Siegel, 2022/02/03