nym · August 8, 2011 20:42
diff --git a/npm+tlp b/npm+tlp
 nym> i'm by no means a security expert, but i do have some basic security concerns about npm with respect to The Locker Project
 [1:30 PM] <isaacs> nym: yeah, i'm working on that :)
 [1:31 PM] <nym> cool, just mentioning it because our use case is protecting personal data
 [1:31 PM]  → liquidproof ([email protected]) joined
 [1:31 PM] <isaacs> nym: the short answer for now is to set up a registry internally, configure couch to always require auth and only be accessible via https, and set npm to always-auth as well.
 [1:32 PM]  → cafesofie and tristanseifert joined  
 [1:33 PM] <isaacs> nym: fairly soon, the registry will send out a cert for "registry.npmjs.org" (instead of one for *.iriscouch.com) and the client will validate that.
 [1:33 PM]  ⇐ dherman ([email protected]) quit: Quit: dherman
 [1:33 PM] <isaacs> nym: you're not using npm to send and fetch your actual personal data you store, are you...?
 [1:33 PM]  → Gus and Cleer joined  
 [1:34 PM] <nym> isaacs: no, but our connectors use node.js dependencies
 [1:34 PM] <Gus> hi
 [1:34 PM] <isaacs> nym: right, that's what i thought you meant.  so you wanna make sure that the deps come from who they say they come from, the registry is the "real" registry, etc.
 [1:34 PM] <nym> right
 [1:35 PM]  ⇐ Guest85763, explodes and Gus quit  
 [1:35 PM] <nym> ideally we'd like to maintain our own registry to make sure the versions were the right ones
 [1:35 PM]  ⇐ Guest431 ([email protected]) quit: Ping timeout: 276 seconds
 [1:35 PM] <nym> so we can have a "stable" product, so to speak
 [1:36 PM]  ⇐ ericmuyser ([email protected]) quit: Quit: ericmuyser
 [1:37 PM] <sechrist> woot, I set up a cheap little tv monitor to sit near my workstation dedicated to irc
 [1:37 PM] <nym> isaacs: please feel free to come by #lockerproject and talk anytime
 [1:37 PM]  → margle joined  ⇐ zastaph quit  
 [1:38 PM] <isaacs> nym: looks interesting.  i'll check it out after node knockout if i'm still sane ;)
	nym> i'm by no means a security expert, but i do have some basic security concerns about npm with respect to The Locker Project
	[1:30 PM] <isaacs> nym: yeah, i'm working on that :)
	[1:31 PM] <nym> cool, just mentioning it because our use case is protecting personal data
	[1:31 PM] → liquidproof ([email protected]) joined
	[1:31 PM] <isaacs> nym: the short answer for now is to set up a registry internally, configure couch to always require auth and only be accessible via https, and set npm to always-auth as well.
	[1:32 PM] → cafesofie and tristanseifert joined
	[1:33 PM] <isaacs> nym: fairly soon, the registry will send out a cert for "registry.npmjs.org" (instead of one for *.iriscouch.com) and the client will validate that.
	[1:33 PM] ⇐ dherman ([email protected]) quit: Quit: dherman
	[1:33 PM] <isaacs> nym: you're not using npm to send and fetch your actual personal data you store, are you...?
	[1:33 PM] → Gus and Cleer joined
	[1:34 PM] <nym> isaacs: no, but our connectors use node.js dependencies
	[1:34 PM] <Gus> hi
	[1:34 PM] <isaacs> nym: right, that's what i thought you meant. so you wanna make sure that the deps come from who they say they come from, the registry is the "real" registry, etc.
	[1:34 PM] <nym> right
	[1:35 PM] ⇐ Guest85763, explodes and Gus quit
	[1:35 PM] <nym> ideally we'd like to maintain our own registry to make sure the versions were the right ones
	[1:35 PM] ⇐ Guest431 ([email protected]) quit: Ping timeout: 276 seconds
	[1:35 PM] <nym> so we can have a "stable" product, so to speak
	[1:36 PM] ⇐ ericmuyser ([email protected]) quit: Quit: ericmuyser
	[1:37 PM] <sechrist> woot, I set up a cheap little tv monitor to sit near my workstation dedicated to irc
	[1:37 PM] <nym> isaacs: please feel free to come by #lockerproject and talk anytime
	[1:37 PM] → margle joined ⇐ zastaph quit
	[1:38 PM] <isaacs> nym: looks interesting. i'll check it out after node knockout if i'm still sane ;)