{"id":6255,"date":"2017-09-15T14:33:45","date_gmt":"2017-09-15T19:33:45","guid":{"rendered":"https:\/\/rud.is\/b\/?p=6255"},"modified":"2018-03-10T07:54:26","modified_gmt":"2018-03-10T12:54:26","slug":"its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/","title":{"rendered":"It’s a FAKE (?)! Revisiting Trust In FOSS Ecosystems"},"content":{"rendered":"

I’ve blathered about trust before 1<\/a><\/sup> 2<\/a><\/sup>, but said blatherings were in a “what if”<\/em> context. Unfortunately, the if<\/em> has turned into a when<\/em>, which begged for further blathering on a recent FOSS ecosystem cybersecurity incident.<\/p>\n

The gg_spiffy @thomasp85 linked to a post by the SK-CSIRT<\/a> detailing the discovery and take-down of a series of malicious Python packages. Here’s their high-level incident summary:<\/p>\n

\nSK-CSIRT identified malicious software libraries in the official Python package
\nrepository, PyPI, posing as well known libraries. A prominent example is a fake
\npackage urllib-1.21.1.tar.gz, based upon a well known package
\nurllib3-1.21.1.tar.gz.
\nSuch packages may have been downloaded by unwitting developer or administrator
\nby various means, including the popular \u201cpip\u201d utility (pip install urllib).
\nThere is evidence that the fake packages have indeed been downloaded and
\nincorporated into software multiple times between June 2017 and September 2017.\n<\/div>\n

Words are great but, unlike some other FOSS projects (*cough* R *cough*)<\/span><\/i> the PyPI folks have authoritative<\/strong> log data<\/a> regarding package downloads from PyPI. This means we can begin to quantify the exposure. The Google BigQuery SQL was pretty straightforward:<\/p>\n

SELECT timestamp, file.project as package, country_code, file.version AS version\r\nFROM (\r\n  (TABLE_DATE_RANGE([the-psf:pypi.downloads], TIMESTAMP('2016-01-22'), TIMESTAMP('2017-09-15')))\r\n)\r\nWHERE file.project IN ('acqusition', apidev-coop', 'bzip', 'crypt', 'django-server',\r\n                       'pwd', 'setup-tools', 'telnet', 'urlib3', 'urllib')<\/code><\/pre>\n
Let’s see what the daily downloads of the malicious package look like:<\/p>\n
\"\"<\/a><\/p>\n
\n
Thanks to Curtis Doty<\/a> (@dotysan on GH) I learned that the BigQuery table can be further filtered to exclude mirror-to-mirror traffic. The data for that is now in the GH repository and the chart in this callout shows that the exposure was very, very (very) limited:<\/p>\n
\"\"<\/a><\/p>\n<\/div>\n
But, we need counts of the mal-package dopplegangers (i.e. the good packages) to truly understand scope of exposure:<\/p>\n
\"\"<\/a><\/p>\n
Thankfully, the SK-CSIRT folks caught this in time and the exposure was limited. But those are some popular tools that were targeted and it’s super-easy to sneak these into requirements.txt<\/code> and scripts since the names are similar and the functionality is duplicated.<\/p>\n
I’ll further note that the crypto<\/code> package was “good” at some point in time then went away and was replaced with the nefarious one. That seems like a pretty big PyPI oversight (vis-a-vis package retirement & name re-use), but I’m not casting stones. R’s devtools::install_github()<\/code> and wanton source()<\/code>ing are just as bad, and the non-CRAN ecosystem is an even more varmint-prone “wild west” environment.<\/p>\n
Furthermore, this is a potential exposure issue in many FOSS package repository ecosystems. On the one hand, these are open environments with tons of room for experimentation, creativity and collaboration. On the other hand, they’re all-too-easy targets for malicious hackers to prey upon.<\/p>\n
I, unfortunately, have no quick-fix solutions to offer. “Review your code and dependencies” is about the best I can suggest until individual ecosystems work on better integrity & authenticity controls or there is a cross-ecosystem effort to establish “best practices” and perhaps even staffed, verified, audited, free services that work like a sheriff+notary to help ensure the safety of projects relying on open source components.<\/p>\n
Python folks: double check that you weren’t a victim here (it’s super easy to type some of those package names wrong, and hopefully you’ve noticed builds failing if you had done so).<\/p>\n
R folks: don’t be smug, watch your GitHub dependencies and double check your projects.<\/p>\n
You can find the data and the scripts used to generate the charts (ironically enough) on GitHub<\/a>.<\/p>\n
Finally: I just want to close with a “thank you!” to PyPI’s Donald Stufft who (quickly!) pointed me to a blog post<\/a> detailing the BigQuery setup.<\/p>\n","protected":false},"excerpt":{"rendered":"
I’ve blathered about trust before 1 2, but said blatherings were in a “what if” context. Unfortunately, the if has turned into a when, which begged for further blathering on a recent FOSS ecosystem cybersecurity incident. The gg_spiffy @thomasp85 linked to a post by the SK-CSIRT detailing the discovery and take-down of a series of […]<\/p>\n","protected":false},"author":1,"featured_media":6265,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[91],"tags":[810],"class_list":["post-6255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-r","tag-post"],"yoast_head":"\nIt's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-\ud83d\udce6-revisiting-trust-in-foss-ecosystems\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"It's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is\" \/>\n<meta property=\"og:description\" content=\"I’ve blathered about trust before 1 2, but said blatherings were in a “what if” context. Unfortunately, the if has turned into a when, which begged for further blathering on a recent FOSS ecosystem cybersecurity incident. The gg_spiffy @thomasp85 linked to a post by the SK-CSIRT detailing the discovery and take-down of a series of […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-\ud83d\udce6-revisiting-trust-in-foss-ecosystems\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-15T19:33:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-10T12:54:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"2112\" \/>\n\t<meta property=\"og:image:height\" content=\"1440\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"It’s a FAKE (?)! Revisiting Trust In FOSS Ecosystems\",\"datePublished\":\"2017-09-15T19:33:45+00:00\",\"dateModified\":\"2018-03-10T12:54:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/\"},\"wordCount\":587,\"commentCount\":8,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"image\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1\",\"keywords\":[\"post\"],\"articleSection\":[\"R\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/\",\"url\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/\",\"name\":\"It's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1\",\"datePublished\":\"2017-09-15T19:33:45+00:00\",\"dateModified\":\"2018-03-10T12:54:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1\",\"width\":2112,\"height\":1440},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"It’s a FAKE (?)! Revisiting Trust In FOSS Ecosystems\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"It's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-\ud83d\udce6-revisiting-trust-in-foss-ecosystems\/","og_locale":"en_US","og_type":"article","og_title":"It's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is","og_description":"I’ve blathered about trust before 1 2, but said blatherings were in a “what if” context. Unfortunately, the if has turned into a when, which begged for further blathering on a recent FOSS ecosystem cybersecurity incident. The gg_spiffy @thomasp85 linked to a post by the SK-CSIRT detailing the discovery and take-down of a series of […]","og_url":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-\ud83d\udce6-revisiting-trust-in-foss-ecosystems\/","og_site_name":"rud.is","article_published_time":"2017-09-15T19:33:45+00:00","article_modified_time":"2018-03-10T12:54:26+00:00","og_image":[{"width":2112,"height":1440,"url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","type":"image\/png"}],"author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"It’s a FAKE (?)! Revisiting Trust In FOSS Ecosystems","datePublished":"2017-09-15T19:33:45+00:00","dateModified":"2018-03-10T12:54:26+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/"},"wordCount":587,"commentCount":8,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"image":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","keywords":["post"],"articleSection":["R"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/","url":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/","name":"It's a FAKE (?)! Revisiting Trust In FOSS Ecosystems - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"primaryImageOfPage":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage"},"image":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","datePublished":"2017-09-15T19:33:45+00:00","dateModified":"2018-03-10T12:54:26+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#primaryimage","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","width":2112,"height":1440},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2017\/09\/15\/its-a-fake-%f0%9f%93%a6-revisiting-trust-in-foss-ecosystems\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"It’s a FAKE (?)! Revisiting Trust In FOSS Ecosystems"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/09\/download_counts_per_day-1.png?fit=2112%2C1440&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p23idr-1CT","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":2912,"url":"https:\/\/rud.is\/b\/2014\/02\/12\/one-more-yet-another-olympic-medal-live-tracking-shiny-app\/","url_meta":{"origin":6255,"position":0},"title":"One More (Yet-another?) Olympic Medal Live-tracking Shiny App","author":"hrbrmstr","date":"2014-02-12","format":false,"excerpt":"I'm posting this mostly to show how to: - use the Google spreadsheet data-munging \"hack\" from the [previous post](http:\/\/rud.is\/b\/2014\/02\/11\/live-google-spreadsheet-for-keeping-track-of-sochi-medals\/) in a Shiny context - include it seamlessly into a web page, and - run it locally without a great deal of wrangling The code for the app is [in this\u2026","rel":"","context":"In "data driven security"","block_context":{"text":"data driven security","link":"https:\/\/rud.is\/b\/category\/data-driven-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":10848,"url":"https:\/\/rud.is\/b\/2018\/05\/30\/os-secrets-exposed-extracting-extended-file-attributes-and-exploring-hidden-download-urls-with-the-xattrs-package\/","url_meta":{"origin":6255,"position":1},"title":"OS Secrets Exposed: Extracting Extended File Attributes and Exploring Hidden Download URLs With The xattrs Package","author":"hrbrmstr","date":"2018-05-30","format":false,"excerpt":"Most modern operating systems keep secrets from you in many ways. One of these ways is by associating extended file attributes with files. These attributes can serve useful purposes. For instance, macOS uses them to identify when files have passed through the Gatekeeper or to store the URLs of files\u2026","rel":"","context":"In "R"","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5097,"url":"https:\/\/rud.is\/b\/2017\/02\/23\/on-watering-holes-trust-defensible-systems-and-data-science-community-security\/","url_meta":{"origin":6255,"position":2},"title":"On Watering Holes, Trust, Defensible Systems and Data Science Community Security","author":"hrbrmstr","date":"2017-02-23","format":false,"excerpt":"I've been threatening to do a series on \"data science community security\" for a while and had cause to issue this inaugural post today. It all started with this: Hey #rstats folks: don't do this. Srsly. Don't do this. Pls. Will blog why. Just don't do this. https:\/\/t.co\/qkem5ruEBi\u2014 boB Rudis\u2026","rel":"","context":"In "R"","block_context":{"text":"R","link":"https:\/\/rud.is\/b\/category\/r\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1200%2C1035&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1200%2C1035&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1200%2C1035&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1200%2C1035&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2017\/02\/hieRarchy.png?fit=1200%2C1035&ssl=1&resize=1050%2C600 3x"},"classes":[]},{"id":11978,"url":"https:\/\/rud.is\/b\/2019\/02\/22\/cloudy-with-a-chance-of-caffeinated-query-orchestration-new-rjava-wrappers-for-aws-athena-sdk-for-java\/","url_meta":{"origin":6255,"position":3},"title":"Cloudy with a chance of Caffeinated Query Orchestration – New rJava Wrappers for AWS Athena SDK for Java","author":"hrbrmstr","date":"2019-02-22","format":false,"excerpt":"There are two fledgling rJava-based R packages that enable working with the AWS SDK for Athena: awsathena | GL| GH awsathenajars | GL| GH They're both needed to conform with the way CRAN like rJava-based packages submitted that also have large JAR dependencies. The goal is to eventually have wrappers\u2026","rel":"","context":"In "Java"","block_context":{"text":"Java","link":"https:\/\/rud.is\/b\/category\/java\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":13894,"url":"https:\/\/rud.is\/b\/2023\/03\/29\/using-webr-pyodide-to-fill-in-the-temporary-package-gaps\/","url_meta":{"origin":6255,"position":4},"title":"Using WebR + Pyodide To Fill In The (Temporary) Package Gaps","author":"hrbrmstr","date":"2023-03-29","format":false,"excerpt":"I won't wax long and poetic here since I've already posted the experiment that has all the details. TL;DR: there are still only ~90-ish ? in the WebR WASM \"CRAN\", but more are absolutely on the way, including the capability to build your own CRAN and dev packages via Docker\u2026","rel":"","context":"In "Python"","block_context":{"text":"Python","link":"https:\/\/rud.is\/b\/category\/python-2\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3732,"url":"https:\/\/rud.is\/b\/2015\/10\/22\/installing-r-on-os-x-100-homebrew-edition\/","url_meta":{"origin":6255,"position":5},"title":"Installing R on OS X – “100% Homebrew Edition”","author":"hrbrmstr","date":"2015-10-22","format":false,"excerpt":"In a previous post I provided \"mouse-heavy\" instructions for getting R running on your Mac. A few of the comments suggested that an \"all Homebrew\" solution may be preferable for some folks. Now, there are issues with this since getting \"support\" for what may be R issues will be very\u2026","rel":"","context":"In "OS X"","block_context":{"text":"OS X","link":"https:\/\/rud.is\/b\/category\/os-x\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/6255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=6255"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/6255\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media\/6265"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=6255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=6255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=6255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}