On 13/11/14 19:11, Donald Stufft wrote:

> As far as I’m aware npm supports TLS the same as pip does. That secures the
> transport between the end users and the repository so you can be assured
> that there is no man in the middle. Security wise npm (and pip) are about
> ~95% (mad up numbers, but you can get the gist) of the effectiveness as the
> OS package managers.

Oh, e.g rpm allows packages to be cryptographically signed, and
depending on your systems config, that is enforced. This is quite
different from just tls'ing a connection.


OpenStack-dev mailing list

Reply via email to