Geek Answers Handbook

Official NuGet Package Source: Should I Worry About Package Security?

According to this page :

There is no central approval process for adding packages. When you upload a package to the NuGet package gallery (which does not exist yet), you don’t have to wait several days or weeks, waiting for someone to view it and approve it. Instead, rely heavily on the community to moderate the police when it comes to feeds. This is in the spirit of CodePlex.com and RubyGems.org.

It makes me feel awkward. Before downloading the Firefox add-in, I know that it should not contain malicious code, because AFAIK all add-ons on addons.mozilla.org are reviewed by Mozilla. Before downloading an open source project from codeplex.com or code.google.com, I know that it should be safe, because anyone can check its source code. And I can also use WOT (Trust Network) to check how other people think about the project.

But before downloading the package from the official source of the NuGet package. Take this one . I do not know who made this package, and what is contained in the package. It seems to me that anyone can pack something into a package, give it any name they want (for example, "Microsoft Prism" if the name is not accepted), and then upload it to the official source of the package.

Should I worry about package security on the official NuGet source package?

+8
nuget nuget-package
source share
3 answers

Your simplicity should apply to software that you get from any source:

  • Binaries downloaded from Sourceforge.net, Codeplex.com, etc., may contain malicious code (either installed by the original sender or, most likely, inserted by a hacker into a website), which may go unnoticed until someone something (you?) gets bitten and alarming.
  • Even if you compile your own binaries from a source downloaded from one of the previous sites, it can still perform malicious actions if you do not go to the whole source code and understand what it is doing.
  • Even software downloaded from “app stores” (for example, Apple iTunes, Android Market) may contain malicious code; some of these review processes are partially automated, but they are still not infallible, and the human review, which also occurs, is definitely not infallible!
  • In the past, there have been examples of boxed software containing malware!

Perhaps there is a continuum of trust that you can use in software (delivered as binaries or source code), and something like the Nuget package gallery (and CodePlex.com and RubyGems, etc.) probably lies less reliable end of the continuum.

There are potential solutions to this problem, such as the proposals offered by the Alliance Trusted Computing Platform Alliance, but they have huge restrictions on the freedoms that we currently use in software development and the sharing of software that we develop as as we deem necessary, without the need for licenses or cryptographic keys received from the central authorities for a lot of money.

I believe the community will develop conventions and mechanisms to ensure that Nuget becomes a reliable source of software libraries for .Net developers, while maintaining flexibility that does not require a formal review process. However, the ultimate responsibility lies with you as the user to ensure that your IT security is not compromised, and the precautions you take depend on the criticality of IT security in the context of the software you write (e.g. home projects; probably low Banking, medical, design processes are probably high!)

+8
source share

NuGet does not manage trust. Even so, you still have to worry about trusting NuGet.

You should absolutely be concerned about the security of the code in the NuGet package. You should be concerned about the security of any code you are not familiar with.

The approach that I take to use the packages, both personally and professionally, through NuGet and NPM below:

  • Commit the semantic version number completely. Clearly indicate major, minor, and patch numbers. Do not assume that new updates will be safe or that their semantic version will be accurate.
  • Use only known current versions for production.
  • Experimenting with something in a restricted test environment, for example. under an account that is not a local administrator, does not have local access to high-priority credentials, there are no access rights to privileged resources provided by the IP address of the test computer.
  • Check the supplier. For example, if the package is released by Amazon and it is an AWS SDK, then this package is probably safe to use if you trust Amazon.

For example, the only packages I would trust now to just go and add them to the production environment are Newtonsoft.Json and Nhibernate. My biggest problem with the new open source packages that anyone can publish is that they actually work as described above when I buy and spend my time on something that does not fit my needs.

It seems to me that if you have done enough research in the package to make sure that it is suitable for the production environment, you probably have learned enough about the software and its community to determine whether you can trust it that it does not do anything malicious . Researching the software and its community actually means more to me than the NuGet seal of approval, endorsed by one central authority that we all pray, is perfect.

+1
source share

Honestly, I don’t think it’s worth the worry. The Microsoft development community is very different from the typical Internet community, where predators are hiding on every corner. In addition, the knowledge level of the developer community is much higher. If someone deliberately issues a virulent code through trusted channels such as Nugget and Github, he or she will be discovered, put at risk, and even prosecuted. Software written with the intent to do harm cannot be protected directly or indirectly by any agreement.

However, you must take precautions. The library you use may inadvertently create vulnerabilities. It is up to you, as a programmer, to properly test and select the tools that you use to create your application, and it does not differ from the fact that the library meets your requirements for performance and performance.

-one
source share

More articles:


All Articles