Comment by xg15

Comment by xg15 a day ago

It's a good idea, but not without weak points, I think.

One of the classic scammer techniques is to introduce artificial urgency to prevent the victim from thinking clearly about a proposal.

I think this would be a weakness here as well: If enough projects adopt a "cooldown" policy, the focus of attackers would shift to manipulate projects into making an exception for "their" dependency and install it before the regular cooldown period elapsed.

How to do that? By playing the security angle once again: An attacker could make a lot of noise how a new critical vulnerability was discovered in their project and every dependant should upgrade to the emergency release as quickly as possible, or else - with the "emergency release" then being the actually compromised version.

I think a lot of projects would could come under pressure to upgrade, if the perceived vulnerability seems imminent and the only point for not upgrading is some generic cooldown policy.

__MatrixMan__ a day ago

Along those lines: If you're packaging an exploit, it's probably best to fix a bug while you're at it. That way people who want to remove their ugly workarounds will be motivated to violate the dependency cooldown.

Reply View 0 replies

mewpmewp2 a day ago

How would they create that noise?

Reply View 2 replies

xg15 a day ago

Depends on the level of infiltration I guess. If the attacker managed to get themselves into a trusted position, as with the XZ backdoor, they could use the official communication channels of the project and possibility even file a CVE.
If it's "only" technical access, it would probably be harder.

Reply View | 1 reply
- andix a day ago
  
  If they file a CVE, they will draw a lot of attention from experts to the project. Even from people who never heard from this package before.
  
  Reply View | 0 replies