Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Saturday, 20-Jul-2024 04:49:15 JST Rich Felker

   @hipsterelectron Idea: an audit tool made for software authors/maintainers and distros that will tell you a bunch of sussy stuff your deps or potential deps are doing that might make them good targets for backdoors, like ifunc.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 20-Jul-2024 04:50:08 JST Rich Felker

     in reply to

     • Amber

     @puppygirlhornypost @hipsterelectron Not a tool to automatically traverse package dep trees (we have those, no?) but to evaluate an individual library for things like thread unsafe init/exit code, sketchy dynamic code mechanisms, ctors with side effects, etc - things that might make your program vulnerable to bugs or backdoors just by linking the lib even if you don't call it.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Saturday, 20-Jul-2024 04:50:09 JST Amber

     in reply to

     @dalias@hachyderm.io @hipsterelectron@circumstances.run so npm audit but for apt, dnf and other package managers? (at least for the distro side)

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 20-Jul-2024 04:52:02 JST Rich Felker

     in reply to

     • Amber

     @puppygirlhornypost @hipsterelectron Right. Because the way you recurse is completely different if you're developer vs Debian packager vs Fedora packager, etc. But the individual lib analysis is same.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Saturday, 20-Jul-2024 04:52:03 JST Amber

     in reply to

     @dalias@hachyderm.io @hipsterelectron@circumstances.run Ie I do something like apt install shitass and the dependencies it pulls in for each package it is resolving proceeds to make a call to said tool and return the result instead of having the tool go in and resolve the dependencies for shitass, recursing through and invoking right?

   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Saturday, 20-Jul-2024 04:52:04 JST Amber

     in reply to

     @dalias@hachyderm.io @hipsterelectron@circumstances.run that's what i'm saying have the package manager handle the traversal, no need to sit there having your own dependency graph when you can damn nearly expect something on the system has its own. I see what you're saying though instead of making it iterate through you just call it on each package in the tree presumably by hooks.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Saturday, 20-Jul-2024 04:52:05 JST Rich Felker

     in reply to

     • Amber

     @puppygirlhornypost @hipsterelectron No, traversal of some particular dep tree is another layer. No reason to combine them when you can factor two completely independent things. This is a hypothetical too to evaluate one node in the tree, that could be called from any existing traversal tool.

   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Saturday, 20-Jul-2024 04:52:06 JST Amber

     in reply to

     @dalias@hachyderm.io @hipsterelectron@circumstances.run so a static analysis tool that's aware of dependencies and can traverse them? I mean yeah that would be nice, kinda surprised that doesn't exist already especially for environments such as debian where it's common place to provide both "deb" and "deb-src".

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Saturday, 20-Jul-2024 04:53:56 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Amber
     @dalias @puppygirlhornypost @hipsterelectron Reminds me that Debian has few useful things in Lintian, some of which inspects the source directory, but it's sadly made in a Debian-specific way.