from Hacker News

Backdoor in ssh-decorator package

by jbfoo on 5/8/18, 10:25 PM with 11 comments

  • by lrvick on 5/9/18, 10:06 AM

    The solution to the impersonation aspect of this is commit signing. It is literally built into Git. There are no good excuses for project maintainers to not sign commits at this point. Grab a yubikey or other gnupg smartcard and do it. Else someone is going to impersonate you and use your name, reputation, and repos to spread malware like this. Have your git hosting provider refuse unsigned commits (github/gitlab allow this).

    Secondly stop trusting pip/pypi. You -can- upload gpg package signatures but clients totally ignore them. There is no way to verify the author of a pip package except by hand today.

    Let me be really clear here. When you install a pip package you are executing arbitrary code from the internet with unknown authorship.

    Pip is fundamentally broken until signature validation is implemented. Whenever possible use OS package managers like apt which actually verify authorship and integrity.

  • by amingilani on 5/9/18, 4:18 AM

    That is such a dick move. There should be a blacklist of people that pull these kinds of stunts. I understand that blacklists aren't Sybil resistant but they're better than nothing. At the very least the scum would have to rebuild their reputation.

  • by jwilk on 5/9/18, 11:56 AM

  • by parliament32 on 5/9/18, 4:17 PM

    The module starts with "import requests" which should be a red flag even for a cause skim of the source. The "it's open source, I'm sure someone else read over it" excuse only works when the code is popular enough... and some obscure pip package definitely isn't.

    The author of the package claims to be a "victim" here, but it's hard to tell. Too bad pip doesn't support package signing.

  • by craftyguy on 5/9/18, 4:51 AM

    Two questions:

    1) can paramiko.RSAKey handle other encryption schemes (ED25519) ? If not, folks using non-RSA keys wouldn't be affected..

    2) Having a (strong) passphrase for your key file would help prevent the perp from doing any harm with the key(s), or at the very least would give you time to invalidate the key(s). Right?