Such a remarkably underwhelming title for what was ultimately a really interesting read, and kind of a scary problem. The twitter thread with BinTray is pretty interesting as well:...
Such a remarkably underwhelming title for what was ultimately a really interesting read, and kind of a scary problem. The twitter thread with BinTray is pretty interesting as well: https://twitter.com/bintray/status/1073105527834476544
JFrog Bintray - Now we know. We'll remove the mailicios library. Thanks for letting us know.
Karussell - Thanks! Please note that there seem to be multiple libraries with this problem. What enhancements are possible in the upload procedure?
JFrog Bintray - We are conducting a audit to find more malicious users and clean them up. We'll investigate how happened we didn't react to the reports users sent. We'll hardening the inclusion procesures to make sure it doesn't happen in the future.
Louis CAD - How can we be informed when you set up a way to check identity of publishers and remove the malicious artifacts? For projects hosted on GitHub, you should require GitHub login and check the person is a member of the project.
JFrog Bintray - That's a good idea, alghough not enough. We'll keep the comunity posted on the steps we take.
Nikita Salnikov - Eagerly waiting for a post-mortem about this incident. Security breach reported 10 months ago but fixed only today - that's interesting...
JFrog Bintray - We will publish a full post mortem. Stay tuned.
So it appears being publicly shamed and drawing some major attention has at least made them finally take the issue seriously.
Update on the malicious content incident: We reviewed and removed all the reported malicious content and banned the users. We are auditing JCenter to others. We'll follow up with a process failure post mortem and the next prevention steps.
I try to keep the original titles but yes, this has certainly been making waves in the Android developer community. Jake Wharton is someone a lot of people follow semi-religiously, so when he says...
I try to keep the original titles but yes, this has certainly been making waves in the Android developer community.
Jake Wharton is someone a lot of people follow semi-religiously, so when he says you should stop using jcenter and Bintray, that can have serious consequences. It would not surprise me if it becomes common practice to stay away from jcenter entirely in the Android world within the next year, which would be quite a fall from being included (by default) with every new Android project.
I think adding some additional context to the title wouldn't have been the worst thing in the world since it's pretty vague and not exactly very descriptive. I was also not aware of Jake Wharton,...
I think adding some additional context to the title wouldn't have been the worst thing in the world since it's pretty vague and not exactly very descriptive. I was also not aware of Jake Wharton, but if he is indeed as influential as you say, I suspect the people at BinTray are probably shitting themselves right now, which I guess explains the tweets.
Such a remarkably underwhelming title for what was ultimately a really interesting read, and kind of a scary problem. The twitter thread with BinTray is pretty interesting as well:
https://twitter.com/bintray/status/1073105527834476544
So it appears being publicly shamed and drawing some major attention has at least made them finally take the issue seriously.
With a follow-up tweet today:
I try to keep the original titles but yes, this has certainly been making waves in the Android developer community.
Jake Wharton is someone a lot of people follow semi-religiously, so when he says you should stop using jcenter and Bintray, that can have serious consequences. It would not surprise me if it becomes common practice to stay away from jcenter entirely in the Android world within the next year, which would be quite a fall from being included (by default) with every new Android project.
I think adding some additional context to the title wouldn't have been the worst thing in the world since it's pretty vague and not exactly very descriptive. I was also not aware of Jake Wharton, but if he is indeed as influential as you say, I suspect the people at BinTray are probably shitting themselves right now, which I guess explains the tweets.