On Tue, Feb 13, 2018 at 07:28:09PM +0000, Mike Small wrote: > Dan Ritter <d...@randomstring.org> writes: > > > On Tue, Feb 13, 2018 at 10:51:41AM -0800, Rich Braun wrote: > >> Kent Borg <kentb...@borg.org> asks: > >> > But I can't figure out how to install npm. When I search for > >> > installation instructions they all seem to want me to pipe a curl > >> > command into a sudo bash. Huh? That's scary as hell. > >> > >> Let others do the installation for you: my go-to technology for this is > >> Docker. First get docker installed > > > > And transfers those headaches to your security and ops teams. > > > > Would Nix or Guix (run from within Debian -- guessing the former would > be more likely to have npm) be a better substitute? This was one of the > issues mentioned against things like Docker when we had that Guix talk a > couple years back. I have no first hand experience myself, only curious.
Nix/Guix are designed to deal with these problems. You need to be able to keep track of all the source code and build tools that go into a deployment, in such a way that you can learn about a problem and figure out the extent of your exposure. There's no reason for that not to be available in a container system, it just isn't done that way routinely. Similarly, Go statically links everything, so you need the same tracking procedure plus the ability to rebuild all your Go programs in accordance with your security policy. Automatic methods beat manual methods, widely-used automatic methods beat local hacks. Wide support is key. -dsr- _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss