Are packages which I download from GitHub secure?

Noticing strange behaviour of a package in julia, I don’t know which is the culprit: Is the downloading of packages from Github secure?
My system is OpenSuse Leap 15.1, my julia has version 1.4.1.
After running include(“LoadPacl.jl”) with

using DifferentialEquations
using Plots
using LinearAlgebra
using DiffEqParamEstim
using RecursiveArrayTools
using Optim
using BlackBoxOptim

then running some selfwritten optimization with differential equations and stopping julia and doing
ps xa | grep julia
I get
8619 pts/6 S 0:00 /home/ad08/.julia/packages/GR/cRdXQ/src/…/deps/gr/bin/gksqt

Meanwhile this process cannot be killed with a simple kill 8619. Instead I need kill -9 8619.
Sometimes this process even survives a shutdown of my system, of course with changed PID. I’ve asked JHeinen concerning GR. He has no idea. So again my question: Is it possible that some of the above mentioned packages is infected? I know that GR not necessarily is the culprit.

1 Like

It’s always possible that malicious code was added to a project in GitHub, or the author could have created a malicious project. However it can’t really be “hidden” all the code is publicly available. Granted that doesn’t mean anyone that is safe/reliable has reviewed it. So how long the malicious code would remain out in the public is anyone’s guess.

That said I’ve seen people talking about gksqt before and having to forceably kill it. If it is truly starting when you boot the computer that is disconcerting. Are you sure it’s not starting up with you run Visual Studio, Atom, or Julia?

My quick googling, It appears to be associated with GR and plotting:

2 Likes