Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris
 
PerlMonks  

Re: (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

by LanX (Sage)
on Mar 07, 2021 at 11:26 UTC ( #11129252=note: print w/replies, xml ) Need Help??


in reply to (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies

Thanks interesting read!

Some thoughts from a Perl perspective (which wasn't mentioned)

  • companies could restrict their proprietary modules to the same top-namespace like Apple::
  • build systems could refuse to install from such private namespaces
  • examples like My:: or Our:: come into mind as private by default
  • CPAN could deny releases into "private namespaces" or similar
  • another option for privacy could be leading underscores package _CompanyModule;

Disclaimer: I didn't thoroughly check if any of this is already done. But I found at least one module released under My::Object

Cheers Rolf
(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery

  • Comment on Re: (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
  • Select or Download Code

Replies are listed 'Best First'.
Re^2: (OT) Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
by Corion (Patriarch) on Mar 07, 2021 at 11:42 UTC

    The simple approach is to run your own CPAN mirror and only import modules there that you have previously vetted.

    Randomly pulling down packages from the internet is not a good strategy, no matter what assurances CPAN provides.

      Managing this reliably in a mid-sized team is already hard, even more in a company.

      Using a naming convention/namespace for internal stuff can't be wrong.

      Cheers Rolf
      (addicted to the Perl Programming Language :)
      Wikisyntax for the Monastery

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11129252]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (1)
As of 2022-05-21 22:17 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    Do you prefer to work remotely?



    Results (78 votes). Check out past polls.

    Notices?