Dependencies should be fetched directly from VCS
6 hours ago
- #dependency-management
- #security-auditing
- #package-managers
- Go's dependency management uses URLs to fetch directly from VCS, enhancing security by avoiding a separate package publishing step.
- Ruby and other package managers (like npm) rely on published packages (.gem, .tar.gz), which are harder to audit due to lack of commit history and potential for tampering.
- Auditing Go dependencies is easier: review commit logs via git, while auditing RubyGems requires downloading and diffing package files, a more cumbersome process.
- Recent security incidents (e.g., npm compromises, xz exploit) often involve injecting malicious code during the package publishing step, not the source repo.
- The author suggests modifying Ruby's Bundler to enforce fetching dependencies directly from git to improve transparency and auditing, mimicking Go's approach.