Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This hack exploited a fairly unique quirk in the linux C ecosystem / culture. That packages are built from "tarballs" that are not exact copies of the git HEAD as they also contain generated scripts with arbitrary code.

It would not have happened in any modern language. It probably wouldn't have even happened in a Vistual Studio C-project for windows either.



> It would not have happened in any modern language.

It would. pip for example installs from tarballs uploaded to PyPi, not from a git repository.


Pip and similar are their own can of worms yeah. They trade convinience for an almost complete lack of oversight.

But in this case we are talking about people (distro packagers) manually downloading the source and building it which is not quite the same thing.


`pip install` does do exactly the same thing: it downloads and executes code from a tarball uploaded to PyPi by its maintainer. There's no verification process that ensures that tarball matches what's in the git repository.


Yes I know, and that's what I meant when I said "their own can of worms".

Distro-provided python packages don't use pip however, at least afaik.


The distro-provided Python packages are usually still build from the source on PyPi as uploaded by the maintainer, not what's in git.


Funny you should say that, given they definitely have exploit code in `vcpkg`




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: