Submitted via IRC for TheMightyBuzzard
Barely a week has passed from the last attempt to hide a backdoor in a code library, and we have a new case today. This time around, the backdoor was found in a Python module, and not an npm (JavaScript) package.
The module's name is SSH Decorator (ssh-decorate), developed by Israeli developer Uri Goren, a library for handling SSH connections from Python code.
(Score: 3, Insightful) by bart9h on Friday May 11 2018, @10:15PM (3 children)
Makes one wonder that there may be as well some backdoors that went unnoticed.
(Score: 2, Informative) by Anonymous Coward on Friday May 11 2018, @10:23PM (2 children)
Mr Plow is on it [soylentnews.org] nobodies backdoor will be safe.
On a more serious note; it seems there's too many language specific package managers out there and not enough eye balls on the code.
(Score: 1, Insightful) by Anonymous Coward on Friday May 11 2018, @11:56PM (1 child)
There is no advantage to open-source code being available for anyone to review, if no one actually does.
(Score: 5, Insightful) by coolgopher on Saturday May 12 2018, @02:21AM
I disagree. There is still the advantage that the open-source code *can* be reviewed. Without going through six months of setting up agreements, NDAs, and other lawyering.
(Score: -1, Troll) by Anonymous Coward on Friday May 11 2018, @11:10PM (1 child)
When a Jew is giving something away for free, why are you surprised that there's a catch?
(Score: -1, Troll) by Anonymous Coward on Saturday May 12 2018, @04:58AM
Whenever a Jew is mentioned expect the racist meatbags to make their presence known.
(Score: 0) by Anonymous Coward on Friday May 11 2018, @11:13PM (1 child)
Whoever is in charge of python's security should be fired. Wouldn't surprise me if they turn or to be a music major with a minor in blowjobs.
(Score: 0) by Anonymous Coward on Sunday May 13 2018, @01:26AM
So, you're overqualified to fill the job?
(Score: 2) by pkrasimirov on Saturday May 12 2018, @04:47PM (2 children)
Repo is down, anybody has it to do a git blame? Any name from the commit? TFA says it was introduced after v.0.27
(Score: 2) by pkrasimirov on Saturday May 12 2018, @04:52PM
Ah wait, me stupid. It was never commited in git lol, only in binary (pypi.org).
https://webcache.googleusercontent.com/search?q=cache:vjUIkPX1-0EJ:https://github.com/urigoren/ssh_decorator/issues/11+ [googleusercontent.com]
(Score: 0) by Anonymous Coward on Saturday May 12 2018, @04:55PM
Yeah, because that can't be faked? Only way to have real stuff there is to SIGN YOUR COMMITS! (or even release tags).