Thanks Alex. Signed packages would be a real win too. Aside from some coding, I guess the challenge there is how to encourage everyone to jump through the additional hoops required. The signing could be happen by default (I'm guessing) but publishers would need to upload a public key. I guess we'd just need to make it easy, build some community support. Maybe node-security could hand out status badges like Travis does to show that a package and all its dependencies are signed.
On 19 December 2013 01:42, Alex Kocharin <[email protected]> wrote: > > No idea why. I think it would be reasonable for npm registry to allow > unpublishing, but deny republishing an exactly the same version number > afterwards. So if something needs to be republished, maintainer will be > forced to change version number (or add a build number although it's now > ignored by npm). > > You can try to use caching npm registry, for example this one: > https://github.com/rlidwka/sinopia > > It wasn't specifically created for ensuring immutability, but it's a nice > side effect. Once certain package (tarball) is cached there, all subsequent > changes in npm registry will simply be ignored. This way I was able to > detect changes in bson v0.2.3 deep inside our dependency tree, although > nothing harmful was there. > > > Anyway, if you're thinking about security, I'd suggest to bring up another > issue. Signed packages. Without them it's hard to rely even on your own > published packages. Although I'm not quite sure how to implement this > properly, I feel it really needs some attention. > > > 18.12.2013, 16:23, "Richard Marr" <[email protected]>: > > > This is probably a stupid/tired question, but why does npm allow mutable > packages? > > I'm working on an app where security is an issue, and among the (many) > things that I'm frothingly paranoid about is the possibility of malicious > (or more likely just untested) code somehow getting into our app, even > though we're using shrink-wrapped versions. It means we'll have to be much > more careful with the way we proxy the npm registry. > > As a secondary point, I would have thought immutable packages would allow > for much better caching behaviour, so reduce load on the registry itself > and speed up npm for everybody. > > > > -- > Richard Marr > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Richard Marr -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
