Malware detection/notification

[didactic-drunk]

Perhaps it's time to plan for supply chain attacks before crystal is targetted.

Topics for discussion:

• Detection
• • Automated
• • Manual auditing
• Incidence reporting
• • Security policies for Crystal.
• • Where to report vulnerabilities for [crystal, shards]
• • Handling reports and verification.
• • CVE reporting
• • How to handle individual shards? Malicious shards? Unmaintained shards?
• Shards enhancements to thwart malware.

Todo:

• 242 Pin the commit hash along with the version.

• TBD

https://www.zdnet.com/article/clipboard-hijacking-malware-found-in-725-ruby-libraries/ https://blog.reversinglabs.com/blog/mining-for-malicious-ruby-gems

[Sija]

FWIW, shard releases based on git tags are a seriously weak point, since any1 can re-tag them at any given moment.

[jhass]

I'm not sure what you expect the action points to be here. If you have any, opening a separate issue per concrete suggestion seems to be more productive.

[j8r]

This isse will limit a type of attacks, by pinning the commit hash along with the version.

[asterite]

Yes, please detail an action plan, otherwise there's no point in keeping this issue open.

[didactic-drunk]

I have. It was shot down. Where exactly can we discuss what action plan(s) would be acceptable without me writing multiple detailed plans that are all rejected?

[straight-shoota]

An open discussion without any actionable plans is best suited for the forum. As soon as some ideas are born they can be turned into an issue here.

[didactic-drunk]

@jhass I've seen other people on crystal-lang/crystal keep updating a list of action point items in a single issue which is what I intended here. It doesn't matter as the forum post is up.

[straight-shoota]

The difference: This issue does not have a list of action point items.

[didactic-drunk]

@straight-shoota I didn't want to propose any as my proposals seem to gather opposition. There is a list now.

[asterite]

So this is something to do on thr shards side, right? If that's the case, there's no need to discuss it in this repo.

[straight-shoota]

"Topics for discussion" are not actionable items in this repo. The only actionable item is #242 and we don't need a tracking list to track a single issue. Let's continue this topic at https://forum.crystal-lang.org/t/malware-detection-notification/1971