SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Obviously, Igadoter, the reason this didn't happen on CPAN is because no-one decided to tried it on CPAN yet. That's the only reason. Why not? Well, the fact that Perl usage has been going into the toilet for the last decade is probably a factor..
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
So, 17289 hosts affected?
PS. The typosquatting could affect any huge repository, have no importance the programming language. For example, there is something about PHP and its Composer:
Seems Perl is free from such problems. One point more for Perl.
HAHA No.
As much as I'd like to root for Perl/CPAN being scott-free here, the real reason is simply that Perl/CPAN isn't as attractive as an attack vector as much as it used to be. In fact, an earlier attempt at typosquatting attacks concluded with
Quote:
The CPAN ecosystem was simply too complex and cumbersome to try to attack. The declining popularity of CPAN and Perl in the past years was another reason to exclude it from research.
As a CPAN author myself, I could add another reason: there are many eyes (human and otherwise) looking at the CPAN upload queue especially at post-upload; from places like #perl freenode IRC as well as on Twitter and MetaCPAN.
Do you really think that you know what you are speaking about?
I hope yes. If there is libpyth.so and there is call foobar (whatever) from this library you need to put something instead which looks like foobar from libpyth.so. I hope it is possible to extract core (minimal) python install which is needed by the system, and replace that core by something else. Maybe I will have a look what is minimal Python install, once I will succeed I will post here. I mean to run Slackware with only minimal Python install.
Say let start with minimal Salckware installation, let extend it and look at which point I need Python. There are many resources, which may help in this: LFS - do I need Python to build LFS? Maybe yes because system-wide scripts are written in Python (as it is in Debian). One can take BSD ports to have a look which apps require Python and what libraries actually, and of course one can directly query app what libraries are needed for this app. I don't think it is really very difficult. It is only the question: why should I to do that? If you guys don't care for such things, why should I? I am only PC computer user. Playing games, surfing web, watching movies, and making Linux my hobby.
I mean to run Slackware with only minimal Python install.
Is it just because of this attack? Because Pat doesn't use pip for python scripts. He grabs all the source and builds the packages manually using SlackBuilds. The SlackBuilds on SBo provide links directly to source and you build the packages using SlackBuilds.
The issue in the news with PyPI is when users use pip to install something and they misspell the package... if someone decided to upload a package to it that had that misspelled name, pip would install it. PyPI didn't get hacked, and no legitimate packages were affected (unless they were pulling things in via pip and misspelled the packages). This isn't even limited to python, as node.js and ruby both ran into the same issue.
Quote:
For his bachelor's thesis, Tschacher explored the feasibility of typosquatting attacks on programming language package registries, specifically Python's PyPI, Node.JS's npm and Ruby's gem.
By creating 214 versions of popular packages with misspelled names (eg, "reqeusts" instead of Python's "requests"), he was able to distribute thousands of fake code libraries.
There's two very easy fixes for this. 1. Build things yourself. If there isn't already a python SlackBuild on SBo, it's not hard to create and then you can upload it yourself. 2. Make sure you spell things right if you decide to use pip.
Now... if you have other reasons to remove python from Slackware, then that could make more sense, but if it is just a knee-jerk reaction to this news, then personally, I think you're overreacting.
I think it would be very difficult. Many applications these days use Python in one way or another, and it's not easy to track because Python is normally used by invoking the interpreter, not by linking against a shared library.
Quote:
Originally Posted by igadoter
It is only the question: why should I to do that?
That's a very good question. If your goal is to waste time securing your machine against an imaginary vulnerability, then by all means do it. Otherwise, I can't think of any reason.
Igadoter, you "don't think it's very difficult" to replace all of the Python interpreter's link libraries (including the one that implements most of the interpreter itself) with implementations of your own?
I was going to say this a couple of messages ago, but: I think this has gone on long enough. You've been getting more ridiculous with each post. Feel free to stop trolling any time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.