On Tue, Feb 13, 2018 at 07:28:09PM +0000, Mike Small wrote:
> Dan Ritter <d...@randomstring.org> writes:
> > On Tue, Feb 13, 2018 at 10:51:41AM -0800, Rich Braun wrote:
> >> Kent Borg <kentb...@borg.org> asks:
> >> > But I can't figure out how to install npm. When I search for
> >> > installation instructions they all seem to want me to pipe a curl
> >> > command into a sudo bash. Huh? That's scary as hell.
> >> 
> >> Let others do the installation for you: my go-to technology for this is
> >> Docker. First get docker installed
> >
> > And transfers those headaches to your security and ops teams.
> >
> Would Nix or Guix (run from within Debian -- guessing the former would
> be more likely to have npm) be a better substitute? This was one of the
> issues mentioned against things like Docker when we had that Guix talk a
> couple years back. I have no first hand experience myself, only curious.

Nix/Guix are designed to deal with these problems.

You need to be able to keep track of all the source code and
build tools that go into a deployment, in such a way that you 
can learn about a problem and figure out the extent of your

There's no reason for that not to be available in a container
system, it just isn't done that way routinely.

Similarly, Go statically links everything, so you need the same
tracking procedure plus the ability to rebuild all your Go
programs in accordance with your security policy.

Automatic methods beat manual methods, widely-used automatic
methods beat local hacks. Wide support is key.


Discuss mailing list

Reply via email to