www/npm downloads and installs packages without having signature
checking in place.
There is the discussion about package security
https://github.com/node-forward/discussions/issues/29 , but actual
checking isn't currently done.
Additionally, npm allows direct downloads of GitHub projects with
On Mon, Mar 16, 2015, at 14:57, Yuri wrote:
> www/npm downloads and installs packages without having signature
> checking in place.
> There is the discussion about package security
> https://github.com/node-forward/discussions/issues/29 , but actual
> checking isn't currently done.
>
> Additi
On 03/16/2015 13:05, Mark Felder wrote:
This would require FreeBSD to modify npm code to inject this message,
correct? Or do you just want a post-install message when the package is
installed to remind FreeBSD users about it?
It seems to me a scary warning patch should be sent upstream.
I mean
I've made the change in HEAD to turn off SSL padding (see attached mail
message). Julian, can you test to see if it addresses the issue before I MFC?
--- Begin Message ---
Author: gshapiro
Date: Mon Mar 16 20:24:37 2015
New Revision: 280155
URL: https://svnweb.freebsd.org/changeset/base/280155
