Quoting [email protected] ([email protected]): > That is criminal behaviour and unacceptable in the free software > community. NPM and similar repositories are a bad idea from the > start.
Indeed. Here was my extemporanenous comment on the matter when a friend claimed the incident "gave open source a bad name", and that "How long before someone puts out a version with the location checking reversed? It shouldn't be impossible for them to trick people into downloading it." I wrote: I'll ask you a better question: Why would you trust a fork from just someone of an otherwise known codebase? A person willing to run anything from anyone is fodder for the first bad actor (or just bad coder) to walk by. Please don't take this the wrong way, but implying that it'd be easy to get many people to trust the untrustworthy strikes me as failing Software 101, and in particular open source 101. The guy I shave wrote in 1999 a modestly influential essay on the right to fork, BTW. http://linuxmafia.com/faq/Licensing_and_Law/forking.html The reasons why in operating systems with package managers as gatekeepers we make a point of not trusting upstream are detailed here in this editorial footnote of mine: http://linuxmafia.com/~rick/weatherwax.html#1 E.g., there was a time when the upstream maintainers of Adblock Plus and of NoScript were in a dumb feud, and one of them inserted code into the tip version that sabotaged the other -- but distributions' package managers didn't accept that change and avoided sending it out to distribution users. Thus my point about gatekeeping. Now, I will tell you that the _particular_ bit of Javascript nastiness discussed in the story, node-ipc, is part of a Wild West of Javascript stuff that is deliberately kept as its own little "trust me" world, and I as a sysadmin would want to have nothing to do with it. When Google wrote the Chromium Web browser (the basis of the proprietary Google Chrome browser), they wrote a Javascript engine called Blink. Third-party yoyos extracted Blink to make it the engine for a (mostly) server-side Javascript runtime environment called node.js. Then, not done creating baroque horrors, they thought "Wait, node.js needs to have plugins and libraries and stuff. We're too special to make those handled by system software management, so we're writing our own package manager, domain-specific to node.js. We'll call it npm." And this node-ipc thing is an npm-installable thing. So, your system security regime and your real package management knows absolutely nothing about anything you install using npm. Your system cannot vet that code or make sure it doesn't misbehave or violate system policy. It's like having a wing of your house that doesn't respect building codes, was never inspected, and that the homeowner doesn't get to check. Javascript weenies think this is great. Sysadmins look at the idea and say "Not on my system, bud." -- Cheers, "One of the reasons it takes such a long time to make a picture Rick Moen like 'Jaws' is because it's not the time it takes to take the rick@linux take that takes the time; it's the time it takes between takes mafia.com that takes the time that takes the takes." -- Roy Scheider _______________________________________________ luv-main mailing list -- [email protected] To unsubscribe send an email to [email protected]
