On Wed, Aug 11, 2021 at 10:55:44PM -0500, Brian Thompson wrote: > Thank you for bringing this to everyone's attention. This are very real > vulnerabilities. How are they vulnerabilities? > NPM has similar issues with stopping malicious packages from being > published to the FTP server. That's not what is the article about. > Malicious packages can and do make it into the dependency sets of > popular packages. This is a problem. I don't think that any amount of > human effort and attention can prevent malicious packages from making it > to the FTP server. This, again, is not what is the article about. Malicious packages don't need these "vulnerabilities" as they can put files to your file system directly. > Perhaps a workaround for users right now would be to have a user with > package management sudo access, and not much else. Ah, so you haven't read the article. > Also, we should notify our upstream projects, and the Linux community as > a whole, of these vulnerabilities. I believe that to be a moral > obligation. ... -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature