Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Some "easy" tools:

1. Ban libraries that have names that might confused with others (so no I where L is etc).

2. Only use libraries that have been around for over 1 year (you're relying on the community to debug them).

I think with these two alone you might get rid of most issues. The problem is that someone might buy an old, trusted name and then inject malicious code. I don't know of a technical way to enforce change of ownership that might be useful and not too much work. Alternatively a nefarious player might release useful code, bide their time to get a reputation, and then inject malicious code.

Short Life VMs are a good idea but sometimes you want them all to talk to each other.



The problems are forks, though. Anybody can create a copy and the problem is that e.g. on Github there are tons of library clones that aren't even marked as fork, because they have been cloned and then imported as a new library for whatever reason by the new maintainer. I've often had substantial troubles finding the original library or the most well-maintained fork.

Large repos like Github should do an automated similarity search and prominently display potential older (as in creation date) versions of the same library even if they are not forked from the original repo directly.


> Ban libraries that have names that might confused with others (so no I where L is etc).

I agree that this is some obvious low-lying fruit here. Given that the onus is currently on devs here, an actionable solution today is to use a font which makes the differences between i, I, L, 1 easily distinguishable (obviously not fool-proof), or bake a check for malevolently named dependencies into your linter or plugin.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: