Wikipedia:Reference desk/Archives/Computing/2017 January 25

= January 25 =

How safe are software repositories?
Can software repositories be a security risk? I have on mind CPAN or Pypi or similar? — Preceding unsigned comment added by 31.4.146.149 (talk) 23:29, 25 January 2017 (UTC)


 * Yes. They can be a security risk. Some form of security is necessary. First, you can use some form of public-private key encryption to ensure that the data you are receiving is coming from the repository itself and not a third party that has hijacked your connection. Second, you can use a key to decrypt a hash of the files and ensure that the hash of the file you received matches the hash reported by the repository. That just ensures that the file you received is actually from the repository. You have to trust that what is in the repository is supposed to be there. In the past, supposedly secret keys have been compromised, allowing someone to slip files into repositories. Depending on the repository, it could be hidden and you won't know about it. When it happened to Fedora, they widely publicized it and told everyone to change their repository keys and redownload packages. Finally, you have to trust the repository. Do you really trust "Joe Bob's Super-Cool Repository for People Who Don't Care About Computer Security"? Do you trust a repo that is more focused on pushing out every daily change to every package at the expense of checking security? It is purely up to you. I use Redhat's repository, which I trust more than other repositories. I used to use Adobe's repository, which I didn't really trust at all because I simply don't trust Adobe. It was an accepted security risk for me. All in all, security risk of your chosen repository is something to keep in mind, but it isn't as important as social engineering, phishing, baiting, etc... 209.149.113.5 (talk) 16:14, 26 January 2017 (UTC)
 * All true. That being said, I generally trust CRAN, CTAN, and other large/famous/old code repositories - they do their own due diligence to keep malicious code out of their servers, and they have many, many users who will quickly report any problems. I have not personally heard of anyone having any problem with materials downloaded from these fairly reliable sources. I have not personally used CPAN, but I'd probably extend them a basic level of trust as I do for CRAN and CTAN, neither of which are remotely like your your hypothetical "Joe's super cool" example, in terms of security nor frequency of changes being pushed. SemanticMantis (talk) 16:28, 26 January 2017 (UTC)