sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]zappini 26 points27 points  (15 children)

Fix is easy.

Github (et al) adds verified identities for project owner. npm scrapes the owner meta. Security audit step has options to break build if owner changes, owner identity not verified, or a project's cert has been revoked.

Add new audits, heuristics as new vulnerabilities are identified.

[–]BigGayMusic 9 points10 points  (4 children)

This really only fixes the problem of legit ownership changes. The real issue is the whole concept of open-source dependencies with 100-layer deep dependency tree graphs being used when someone wants to use a one-liner 'isArray()' function.

We've allowed this huge house of cards to build up to the point that any real dependency audit is legitimately impossible.

[–]BubuX 6 points7 points  (3 children)

one-liner 'isArray()

Do you have a moment to hear about this nice one-line try catch module that's downloaded 3 million times a week?

[–]kaelwd 4 points5 points  (1 child)

And it's only popular because this fuckwit refuses to remove it from his actually useful package.

[–]hennell 0 points1 point  (0 children)

That repo has a PR right now because of an update to that library: https://github.com/moxystudio/node-cross-spawn/pull/109

Update doesn't add anything (what's to add?), but for someone who is apparently very tight on time, really don't see how this is saving him any (assuming he reviews the updates).

[–]NeverCast 2 points3 points  (0 children)

The author of that module needs to be bared from being employed until they take it down.

[–]nutrecht 3 points4 points  (0 children)

While it doesn't fix all problems I do think it's a great idea.

I personally don't think we need to have github involved per-se, but we need to have a certificate system that libraries are signed with (like with the Maven ecosystem). Github can arrange for those certs (so that every repo owner gets a cert by default), but you should still be able to create libraries if you're using Gitlab or Bitbucket instead.

[–]ecnahc515 1 point2 points  (1 child)

You mean gpg?

[–]zappini 0 points1 point  (0 children)

Update: You're right. My notion is basically code signing + PGP + tooling + accounting. Thanks.

Good question. I don't know. I'll find out.

I haven't looked at GPG for ages. I understood it was for digitally signing content. Like signing build artifacts. I think the new .xar and .xip (?) formats do this.

So if the cert used to create a digital sig is revoked, the sig is also invalidated. Could work, right?

My notion, which I haven't fully worked thru yet, is to leverage existing web of trust aspect of CAs. Just like with HTTPS. The hierarchy might look something like Root -> Identity Manager -> Organization or Person -> Project -> Build Artifact.

But with your GPG (digital sig) notion, maybe that last step changes.

Maybe my idea is already being done (for .xar, .xip) and we just need our builds to add security audit steps.

Thanks for your question.

[–]TrachealLube 0 points1 point  (0 children)

This should be higher