[opam-devel] "Typosquatting programming language package managers"; how to protect opam-repository from typo-squatting?

Gabriel Scherer gabriel.scherer at gmail.com
Thu Jun 9 16:29:42 BST 2016


Let's clarify: the design of "opam lint" seems that result of its QA tests
depend on the only input of the checkers, namely the opam file fed to it.
It does not take into account repository information (so I cannot easily
implement the check I had in mind), nor eg. url files (while it would seem
interesting to have a tool to give feedback on a wrong checksum).

I think this design choice has advantages. For example we know that the
"opam lint" output is going to be the same on a user machine and on the
repository CI, or is going to be stable across opam repositories.

Note that there is another part of the OPAM codebase with the name "lint",
namely admin-scripts/lint.ml, that does repository-global linting (for now
it just seems to aggregate individual package lint outputs for the whole
repo). If we added a mode to check a (set of) new proposed package(s)
against the current repo, it could be an interesting basis.

Thomas: thanks, that seems to suggest there is indeed a missing step and we
would need to make it happen. (Which means more work than adding to an
existing infrastructure, but such is life.) Note that I think the
invocation in this case should be

  opam repo-lint --new-packages `cat tobuild.txt`

because this check must rely on knowledge of what already exists in the
repository, and (separately) what is new and proposed for inclusion.
Otherwise, if we just warned about all pairs of packages within typo
distance, old false positives would keep coming up over and over.

On Thu, Jun 9, 2016 at 11:17 AM, Daniel Bünzli <daniel.buenzli at erratique.ch>
wrote:

>
>
> Le jeudi, 9 juin 2016 à 16:16, Daniel Bünzli a écrit :
>
> >
> >
> > Le jeudi, 9 juin 2016 à 15:57, Gabriel Scherer a écrit :
> >
> > > My plan was: in `opam lint`, emit a warning if the linted package name
> is at edit distance 2 or less (but not 0) of an existing package in the
> repository. But this does not quite work; I quickly looked at the code and
> it seems that "opam lint" is meant to be run purely locally, it does not
> have access to a base of packages available in the repository.
> >
> >
> > opam lint is automatically run by camelus when you do a PR to the OCaml
> OPAM repository so it would be useful for the maintainers (and to the
> package submitter aswell).
> Ah sorry I think I misunderstood what you meant by "locally".
>
> Daniel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160609/375ed800/attachment-0001.html>


More information about the opam-devel mailing list