Poisoning the well
Supply chain attacks are becoming more common, and open source package management might be the new battleground
One thing that Linux users don’t often do is download and run random binaries from the internet. For years though, this was the only way to install software on Windows, and naturally was a great vector for spreading malware too.
Today there’s the Windows Store, which is generally awful, but does at least provide some reassurances that Universal Windows Program (UWP) applications haven’t been tampered with. Many of those application bundles that you download and execute yourself are also signed with a developer certificate, so even if you don’t check the signatures yourself, you can be reasonably confident the program is what the web page says it is.
Great package management systems have long made Linux users proud. Since 1993 we’ve had robust systems for cleanly fetching, installing and removing applications. Maybe we had to wait until 1998 before package management could solve the dependency hell problem. But at least we didn’t have to trawl through various windows\subdirectories and Registry keys just to tidy up a no-longer needed application.
Only trusted individuals are allowed to approve packages for inclusion in official distribution repositories, so this means you can generally trust the contents of those repos, especially given the signature checks that are built into Apt, DNF, Pacman or any other package manager you could care to name. If you want software not available in your distro’s repos, then you can either compile it yourself (if you trust the code) or use a third-party package. The latter assumes that you trust not only the code, but also that the person packaging it hasn’t meddled with it. This is why we always caution against adding random PPA (Personal Package Archives) or third-party repos, even if they’re a handy way of getting new software.
New style of packaging
Now though, there’s a new kind of package management, and it extends this set of problems. If you look at any beginner Python project that does something cool in not very many lines of code (LoC), then chances are somewhere early on in the code are a bunch of import statements, which pull in external modules outside of the core Python language. Most ‘distributions’ of Python include a core set of modules, which vastly expand what one can do with the language. And if you need to go further, your OS’s repository contains packages for other Python modules. There’s more to this, but permit us a small diversion.
If instead you look at programming in JavaScript, you’ll see the same thing, but with