NuGet 官方包源:我应该担心包的安全性吗? [英] NuGet official package source: Should I be worried about the safety of the packages?
问题描述
根据本页:
没有用于添加包的中央审批流程.当您将包上传到 NuGet 包库(尚不存在)时,您无需等待数天或数周等待有人对其进行审核和批准.相反,当涉及到提要时,我们将依靠社区来调节和监管自己.这符合 CodePlex.com 和 RubyGems.org 的工作精神.
No central approval process for adding packages. When you upload a package to the NuGet Package Gallery (which doesn’t exist yet), you won’t have to wait around for days or weeks waiting for someone to review it and approve it. Instead, we’ll rely on the community to moderate and police itself when it comes to the feed. This is in the spirit of how CodePlex.com and RubyGems.org work.
这让我感到不安.在我下载 Firefox 插件之前,我知道它不应该包含恶意代码,因为 AFAIK addons.mozilla.org 上的所有插件都经过 Mozilla 审查.在我从 codeplex.com 或 code.google.com 下载开源项目之前,我知道它应该是安全的,因为任何人都可以检查它的源代码.我还可以使用 WOT(信任网络)来检查其他人对项目的看法.
This makes me feel uneasy. Before I download a Firefox add-on, I know it should not contain malicious code, because AFAIK all add-ons on addons.mozilla.org are reviewed by Mozilla. Before I download a open source project from codeplex.com or code.google.com, I know it should be safe because anyone can check it's source code. And I can also use WOT (web of trust) to check how other people think about the project.
但在我从 NuGet 官方包源下载包之前.以这个为例.我不知道这个包是谁做的,也不知道包里有什么.在我看来,任何人都可以将任何东西打包成一个包,给它任何他们想要的名字(比如Microsoft Prism",只要不取名字),然后将其上传到官方包源.
But before I download a package from NuGet official package source. Take this one for example. I do no know who made this package, nor what is contained in the package. It seems to me that anyone can pack anything into a package, give it any name they want (like "Microsoft Prism", as long as the name is not taken), then upload it to the official package source.
我是否应该担心 NuGet 官方包源上的包的安全性?
Should I be worried about the safety of the packages on NuGet official package source?
推荐答案
你的不安应该适用于你从任何来源获得的软件:
Your uneasyness should apply to software you obtain from any source:
- 从 Sourceforge.net、Codeplex.com 等下载的二进制文件可能包含恶意代码(由原始提交者植入,或者更有可能由黑客插入网站),这些代码可能会在有人(您?)被咬并拉响警报.
- 即使您从以前的网站之一下载的源代码编译自己的二进制文件,它仍然可能执行恶意行为,除非您查看所有源代码并了解它的作用.
- 即使是从应用商店"(例如 Apple iTunes、Android Market)下载的软件也可能包含恶意代码;其中一些审核流程是部分自动化的,但仍然不是绝对可靠的,而且人工审核也绝对不是绝对可靠的!
- 过去曾有过包含恶意软件的盒装软件的例子!
也许您可以对软件(以二进制文件或源代码形式提供)保持持续的信任,而 Nuget Package Gallery(以及 CodePlex.com 和 RubyGems 等)可能位于不太可信的一端连续体.
Perhaps there is a continuum of trust that you can have in software (delivered as binaries or source code), and something like the Nuget Package Gallery (and CodePlex.com and RubyGems, etc) probably lies on the less-trustworthy end of the continuum.
这类问题有一些潜在的解决方案,例如可信计算平台联盟提出的解决方案,但是它们对我们目前在开发软件和共享我们认为合适的开发软件方面享有的自由产生了巨大限制,而无需从中央当局花费巨资获得许可证或加密密钥.
There are potential solutions to this sort of problem, such as those proposed by the Trusted Computing Platform Alliance, however they come with huge restrictions on the freedoms that we currently enjoy in developing software and sharing the software we develop as we see fit, without the need for licenses or cryptographic keys obtained from central authorities at great expense.
我相信社区将提出约定和机制,以确保 Nuget 成为 .Net 开发人员可信赖的软件库来源,同时保持其敏捷性,而不需要正式的审查过程.但是,作为用户的最终责任在于您自己,以确保您的 IT 安全不受损害,并且您采取的预防措施取决于您正在编写的软件环境中 IT 安全的重要性(例如家庭项目;可能低.银行、医疗、过程控制项目;可能高!)
I believe that the community will come up with conventions and mechanisms for ensuring that Nuget becomes a trustworthy source of software libraries for .Net developers, whilst retaining the agility it has with not requiring a formal review process. However, the ultimate responsibility rests with yourself as a user to ensure that your IT security isn't compromised, and the precautions you take are a function of the criticality of IT security in the context of the software you are writing (e.g. home projects; probably low. Banking, medical, process control projects; probably high!)
这篇关于NuGet 官方包源:我应该担心包的安全性吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
