It would be excellent, but not trivial, to wrap all smoke tests in some
sort of security policy.
In the example below, this wrapper would look for attempts to reach out
over the network, or ports being opened by the code.
This could be compared to something defined by the author, either via
meta files or as part of the testing.
Similarly, examining what the code does on the local system - poking
around in /etc or something. Like an apparmour / selinux type of thing.
Such an initiative would be extremely proactive and likely bring wide
praise.
Dean
On 6/4/19 1:32 pm, Alceu Rodrigues de Freitas Junior via
cpan-testers-discuss wrote:
Hello guys,
Did you have the chance to read about this backdoor found in a popular
Ruby gem?
https://www.zdnet.com/article/backdoor-code-found-in-popular-bootstrap-sass-ruby-library/
I was wandering if there is anything we could do to avoid having the
same thing happening. Of course, there is very little we could do if
something like that happened at the code repository, but there are at
least two things we could try:
1 - Start using something like Module::Signature
2 - Fix the PAUSE TLS certificate:
Not sure if you're getting the same, but I just upgraded Firefox on
this Ubuntu 18.04 machine before hitting to PAUSE.
Regards,
Alceu
