Clarify what is allowed and what is considered malicious. #381
Conversation
Signed-off-by: Caleb Brown <[email protected]>
README.md
Outdated
| - and either: | ||
| - when installed or used, would require some sort of incident response; or | ||
| - exfiltrates an identifier that can be directly used to launch an attack | ||
| against the victim (e.g. username for phishing or password bruteforcing) |
There was a problem hiding this comment.
Minor: you don't have to list out all the ways malicious software behaves, but these days I would say stealing browser cookies is pretty high on the list, maybe also installing a keylogger
README.md
Outdated
|
|
||
| - an open source package publicly available in a package registry | ||
| - and either: | ||
| - when installed or used, would require some sort of incident response; or |
There was a problem hiding this comment.
Minor: definitions are hard, and I wouldn't call myself an expert here, but maybe something like "when installed or runs, tries to persist software on the machine unrelated to the advertised function of the package"
Signed-off-by: Caleb Brown <[email protected]>
|
|
||
| Obfuscation, debugger evasion, and other reverse engineering protection | ||
| techniques, are used by both developers seeking to protect their source code | ||
| and attackers seeking to evade detection. |
There was a problem hiding this comment.
The crates.io usage policy forbids any content that
uses obfuscation to hide or mask functionality
which seems to suggest to me that even using obfuscation for protecting source code is considered unacceptable by crates.io (though may not considered malicious), not just if the obfuscation is done to hide malicious behavior.
Further clarify the specification of what is considered malicious for the repository.
This helps make decisions about true vs false positives easier to make.