On Saturday, 16 September 2017 at 17:09:34 UTC, David Gileadi
wrote:
Let me preface this by saying I love package managers and think
dub is one of the best things with dlang. However they can also
sometimes be dangerous, as this PyPI incident[1] shows: several
Python packages were uploaded that contained names similar to
the standard library, and had an extra semi-malicious payload.
They are apparently now part of live software.
You could of course expect developers to do due diligence with
the things they download, but of course they don't. It's
probably worth paying attention to what the PyPI devs do to
help mitigate this, and perhaps repeat some of those things
with dub.
[1]
https://arstechnica.com/information-technology/2017/09/devs-unknowingly-use-malicious-modules-put-into-official-python-repository/
maybe we should have an option to add a hash with the package
version, to be able to check the integrity of the code that it's
downloaded?