Update security considerations part to include a note about lookalike packages #11
Comments
|
http://incolumitas.com/2016/06/08/typosquatting-package-managers/ was the one I meant |
|
Interesting thought, thanks! I wonder if this is such an issue with bioconda. Compared to Pypi, it is not easy to upload things here. People need to pass the tests (ok, doable) and the human review (this could detect it). So in the paper, we could say we are aware of the issue and we think we are less vulnerable to this than approaches like pypi. However, we intend to further improve the situation with a detection mechanism in the future. |
|
I fully agree that it's less of a problem for Bioconda due to the more manual process of getting a package in. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the past couple of years, pretty much all big package repositories were attacked by malware squatting on common typos of popular packages. I can look up the publication describing some proof-of-concept attacks on NPM in a bit.
We should at least have a note regarding this problem in there, instead of the blanket "users need to make sure they trust the source".
The text was updated successfully, but these errors were encountered: