This also seems like a good time to reiterate an old comment of mine:
https://groups.google.com/g/sage-devel/c/Dq83PiiCAsU/m/RKSpD9_rDQAJ
...pasted below for your convenience.
On Tue, 21 Dec 2021 04:04:31 +0100, Lorenz Panny <l.s.pa...@tue.nl> wrote:
> On Mon, 20 Dec 2021 14:41:27 +0100, Michael Orlitzky <mich...@orlitzky.com>
> wrote:
> > We already have 214 standard packages. That's 214 pieces of software
> > copy & pasted into the sage releases... and 214 SPKGs that the sage
> > developers need to keep updating, and 214 distro packages that every
> > distro maintainer needs to keep track of as dependencies of the sage
> > package.
>
> It's also 214 software packages which might, for all we know, at any
> time be hijacked by The Bad Guys to run arbitrarily malicious code on
> every Sage user's machine.
>
> This is terrifying.
>
> (For examples where the modern "import * from internet" mentality has
> led to security disasters, just search for terms like "malicious npm".
> Luckily it seems less bad with pip packages for now, but not for any
> real reason. Every single piece of code we import adds huge security
> questions, because updates to the dependency may be published at any
> time totally invisible to Sage developers and the review process used
> in Sage development. The build scripts will simply pull and run it.)
>
> We should reduce dependencies, not add more. _Especially_ when it's
> about non-essential convenience libraries.
On Wed, 17 Apr 2024 09:43:28 +0300, Georgi Guninski <ggunin...@gmail.com> wrote:
> If the recent xz backdoor drama didn't induce enough paranoia in you,
> here is a second chance exception:
>
> https://www.theregister.com/2024/04/16/xz_style_attacks_continue/
>
>
> Open sourcerers say suspected xz-style attacks continue to target maintainers
> Social engineering patterns spotted across range of popular projects
> Tue 16 Apr 2024 // 14:07 UTC
>
> Open source groups are warning the community about a wave of ongoing
> attacks targeting project maintainers similar to those that led to the
> recent attempted backdooring of a core Linux library.
>
> --
> You received this message because you are subscribed to the Google Groups
> "sage-devel" group. To unsubscribe from this group and stop receiving emails
> from it, send an email to sage-devel+unsubscr...@googlegroups.com. To view
> this discussion on the web visit
> https://groups.google.com/d/msgid/sage-devel/CAGUWgD82%3DoROFFxZwrKZG6eB0Kd5GEKW8wrPw_Q4gm8WJjioCA%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/sage-devel/20240418160443.79b10a15%40l4.
