Thanks Nuno, helpful as always.
On 19 December 2013 03:18, Nuno Job <[email protected]> wrote: > Google "nodejs lockdown lloyd" > > That should be easy enough to get started > > Ideally modules should be signed by author and a couple more people to > validate origin. > > Nodejitsu sells a private npm product, with it comes full control over all > things > > You are right to be concerned: anyone that has a module you use can > effectively attack you. All it takes is for their credentials to be > compromised, credentials which I believe are just a plain text file on your > home. I've raised this issues more than 2 years ago and it seems be a > recurring one right now. So understanding this is how npm works and > creating security validation processes for your releases is a good idea > > You can also check the node security project > > Hope this is helpful > Nuno > > On Thursday, December 19, 2013, Alex Kocharin wrote: > >> >> No idea why. I think it would be reasonable for npm registry to allow >> unpublishing, but deny republishing an exactly the same version number >> afterwards. So if something needs to be republished, maintainer will be >> forced to change version number (or add a build number although it's now >> ignored by npm). >> >> You can try to use caching npm registry, for example this one: >> https://github.com/rlidwka/sinopia >> >> It wasn't specifically created for ensuring immutability, but it's a nice >> side effect. Once certain package (tarball) is cached there, all subsequent >> changes in npm registry will simply be ignored. This way I was able to >> detect changes in bson v0.2.3 deep inside our dependency tree, although >> nothing harmful was there. >> >> >> Anyway, if you're thinking about security, I'd suggest to bring up >> another issue. Signed packages. Without them it's hard to rely even on your >> own published packages. Although I'm not quite sure how to implement this >> properly, I feel it really needs some attention. >> >> >> 18.12.2013, 16:23, "Richard Marr" <[email protected]>: >> >> >> This is probably a stupid/tired question, but why does npm allow mutable >> packages? >> >> I'm working on an app where security is an issue, and among the (many) >> things that I'm frothingly paranoid about is the possibility of malicious >> (or more likely just untested) code somehow getting into our app, even >> though we're using shrink-wrapped versions. It means we'll have to be much >> more careful with the way we proxy the npm registry. >> >> As a secondary point, I would have thought immutable packages would allow >> for much better caching behaviour, so reduce load on the registry itself >> and speed up npm for everybody. >> >> >> >> -- >> Richard Marr >> >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> -- >> Job Board: http://jobs.nodejs.org/ >> Posting guidelines: >> https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines >> You received this message because you are subscribed to the Google >> Groups "nodejs" group. >> To post to this group, send email to [email protected] >> To unsubscribe from this group, send email to >> [email protected] >> For more options, visit this group at >> http://groups.google.com/group/nodejs?hl=en?hl=en >> >> --- >> You received this message because you are subscribed to the Google Groups >> "nodejs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Richard Marr -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
