bindle icon indicating copy to clipboard operation
bindle copied to clipboard
verified publisher icon deislabs

Revoking (Yanking) Parcels

Open technosophos opened this issue 3 years ago • 0 comments

A desired feature of future-Bindle would be to mark an individual parcel as yanked.

Scenario: Say we have a single library that is frequently shared by many bindles. And imagine the case where a security vulnerability is discovered in this library. We could yank that individual parcel. The following effects could then be built on this feature:

  • When a user downloads a bindle that references a yanked parcel, we can at best warn, at worst prevent them from installing
  • Alternately, we could auto-yank all bindles that reference that parcel (which is heavy-handed, put possibly warranted)
  • We could provide a facility by which a yanked parcel could have a "recommended upgrade" and bindle authors would be notified of that upgrade. e.g. "mySSL 1.2.3 has a vulnerability. Upgrade to mySSL 1.5.6 or greater"

Whatever system we use, we would have to prevent a bad actor from maliciously yanking other people's bindles. e.g. if someone marked the MIT license parcel as "yanked", it could yank every single MIT-licensed bindle

technosophos avatar Feb 03 '22 16:02 technosophos