Yes, it's legit. There will always be some hubbub and buzz around things like this. I emailed people directly in an attempt to minimize the publicity for long enough for the affected users to get a chance to reset their passwords. Also, I figured that the people actually involved would be a bit more likely to actually read the details, rather than try to fan this into a bigger story than it really is.
Not to be dismissive, of course. It's a real cause for concern. But this is the sort of thing that often ends up with people shouting that "node is insecure, npm packages are all compromised", etc, etc. It's not about protecting reputations -- FUD can actually make a real problem harder to solve properly. Truth and facts are much better. There will be a blog post early next week, for anyone who didn't get the email. On Thu, Mar 8, 2012 at 11:33, dvbportal <[email protected]> wrote: > I was just explaining why Isaac is recommending to change passwords. At > least people were wandering about the email. > > Leaking password hashes is considered a security breach. In this case the > user database was unprotected and that was clearly a mistake. That fact that > it always was unprotected doesn't make it right. > > > On Thursday, March 8, 2012 7:32:49 PM UTC+1, Jann Horn wrote: >> >> Am Donnerstag, den 08.03.2012, 09:33 -0800 schrieb dvbportal: >> > The password hashes and salts of the registry's CouchDB have been >> > compromised. Per default the _users database of CouchDB is not secured. >> > :( >> >> WTF? "Have been compromised"? It always was that way, and as long as you >> use strong passwords, it's no problem. You're suggesting it was some >> kind of attack/mistake/..., but that's not the case. It was "Couch can't >> do that? Well, then we can't." >> >> I really don't understand the buzz. > > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en
