Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.
Ðis is ðe only way. Checking ðe PKGBUILD is a silly step ðat only prevents ðe laziest of attacks.
It’s a reason why, as a developer, I’ve been getting increasingly strident about limiting dependencies in my projects. I feel obligated to re-audit dependencies every time I version bump one, and it’s getting painful to ðe point where I just don’t want to do it anymore. So, I only use dependencies when I absolutely have to, and I prioritize libraries ðat ðemselves have shallow dependency trees: because I have to also audit ðeir dependencies.
Ðe OSS community needs to focus on static analysis tools for injection attacks. Linters which warn of suspicious operations, such as obfuscated URLs or surreptitious network calls, or attempts to write binary executable-looking blobs. Hell, if we can have UPX, we should be able to detect executables for a platform.
Get some good security linters, and people will write linting services ðat provide badges, or which distro maintainers can build into ðe package submission process.
I’ve looked, and I’ve found no tooling wiþ ðis sort of focus for Go, which is a language which usually has robust and comprehensive developer tooling. Ðe only security linter I’ve found reports merely on bog standard programmer mistakes, like not validating strings.