-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify what is allowed and what is considered malicious. #381
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Caleb Brown <[email protected]>
README.md
Outdated
- and either: | ||
- when installed or used, would require some sort of incident response; or | ||
- exfiltrates an identifier that can be directly used to launch an attack | ||
against the victim (e.g. username for phishing or password bruteforcing) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: you don't have to list out all the ways malicious software behaves, but these days I would say stealing browser cookies is pretty high on the list, maybe also installing a keylogger
README.md
Outdated
|
||
- an open source package publicly available in a package registry | ||
- and either: | ||
- when installed or used, would require some sort of incident response; or |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: definitions are hard, and I wouldn't call myself an expert here, but maybe something like "when installed or runs, tries to persist software on the machine unrelated to the advertised function of the package"
Signed-off-by: Caleb Brown <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice - protestware is a good call-out as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great update. As I have cycles, I'll see if I have any wording bikeshedding I could contribute, but I think this is mvp as is
|
||
Obfuscation, debugger evasion, and other reverse engineering protection | ||
techniques, are used by both developers seeking to protect their source code | ||
and attackers seeking to evade detection. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The crates.io usage policy forbids any content that
uses obfuscation to hide or mask functionality
which seems to suggest to me that even using obfuscation for protecting source code is considered unacceptable by crates.io (though may not considered malicious), not just if the obfuscation is done to hide malicious behavior.
Further clarify the specification of what is considered malicious for the repository.
This helps make decisions about true vs false positives easier to make.