From: Konrad Hinsen <konrad.hinsen@fastmail.net>
To: zimoun <zimon.toutoune@gmail.com>
Cc: gwl-devel@gnu.org
Subject: Re: Getting started with GWL 0.3.0
Date: Tue, 23 Mar 2021 13:57:10 +0100 [thread overview]
Message-ID: <m17dlykoyh.fsf@ordinateur-de-catherine--konrad.home> (raw)
In-Reply-To: <CAJ3okZ0tYihuntVjjB31-zhCtVgyi0EG-zUDC1uO5EzX7C11tg@mail.gmail.com>
Hi Simon,
> Well, I understand your concerns but I am not convinced to share them.
We can certainly agree to disagree!
> IIUC, you are saying that "git annex" or "git lfs" which are
> extensions to Git are a security issue because if any malware-package
> providing a "git-pul" malware, then a user typing "git pul" with a
Yes, exactly. Like what happened to npm:
https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/
Apparently this is now called typo-squatting.
> typo can have bad surprise. But at first, you need to trust a channel
> providing this malware-package, then second you need to install this
> malware-package and third make the typo.
The last part comes with zero effort :-)
As for trusting channels and packages, this is not much of an issue
today, but if Guix ever becomes as popular as Debian is today, then we
will have plenty of users with no clue about who or what they can trust.
In the long run, maybe a command spell-checker would be a nice way out.
Some piece of software that decides, based on my command history,
whether a command I type is more likely a typo or the intention to run
some exotic software.
Cheers,
Konrad.
next prev parent reply other threads:[~2021-03-23 12:57 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-22 10:32 Getting started with GWL 0.3.0 Konrad Hinsen
2021-03-22 11:03 ` zimoun
2021-03-22 13:04 ` Konrad Hinsen
2021-03-22 13:51 ` zimoun
2021-03-22 15:07 ` Konrad Hinsen
2021-03-22 18:16 ` zimoun
2021-03-23 12:57 ` Konrad Hinsen [this message]
2021-03-23 13:16 ` Ricardo Wurmus
2021-03-23 13:24 ` Roel Janssen
2021-03-23 20:16 ` zimoun
2021-03-24 10:08 ` Konrad Hinsen
2021-03-24 10:44 ` zimoun
2021-03-23 15:51 ` Konrad Hinsen
2021-03-23 17:34 ` Ricardo Wurmus
2021-03-23 19:30 ` Roel Janssen
2021-03-23 20:14 ` Ricardo Wurmus
2021-03-23 20:30 ` Roel Janssen
2021-03-26 21:01 ` Ricardo Wurmus
2021-04-30 21:50 ` Ricardo Wurmus
2021-03-24 9:52 ` Konrad Hinsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.guixwl.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17dlykoyh.fsf@ordinateur-de-catherine--konrad.home \
--to=konrad.hinsen@fastmail.net \
--cc=gwl-devel@gnu.org \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).