The security tools today rely heavily on CVE (Common Vulnerability and Exposure) databases and in some cases are very expensive too.The responsibility lies squarley on the shoulder of the end-user. Although a valid concern, it is not the responsibility of the tooling author to mitigate this. In security terms, you are concerned about Supply Chain Attacks. I do not let the plugin repository dictate what gets think your security concerns are perhaps slightly misplaced by virtue of the fact that the intended plugin usage is still governed by the. I manually install all my asdf plugins so I know exactly what's installed on my system ( ). If we do decide to move forward with this there must be a configuration setting added to asdf to disable this functionality entirely, so that paranoid people like me can sleep at night. I know that this issue just builds on the previous plugin-repository work, but I think this is probably a bad idea. While this may not be very likely, it is possible and poses a very real security risk. tool-versions file is actually dictating what code is downloaded and run on their system when they run asdf install. But it's not obvious to the user that the. Maybe they don't actually trust the code at all. Notice the user did not run any code in the software project they just cloned down. Malicious code in plugin is invoked and can do anything on the users system. tool-versions file that references the asdf plugin in the plugin repo containing malicious code. asdf user clones down a git repository for an open source project.Malicious code gets into a plugin in our plugins repo/list (quite possible, since we don't control most of them).I have some concerns about the security aspects of this. I don't have much time right now but I do want to weigh in on this.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |