Date: Mon, 16 Mar 2015 13:10:32 -0700 From: Yuri <yuri@rawbw.com> To: Mark Felder <feld@freebsd.org>, freebsd-security@freebsd.org Subject: Re: npm doesn't check package signatures, should www/npm print security alert? Message-ID: <550738B8.7010704@rawbw.com> In-Reply-To: <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com> References: <55073593.50108@rawbw.com> <1426536352.4157462.241176113.7D625599@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/16/2015 13:05, Mark Felder wrote: > This would require FreeBSD to modify npm code to inject this message, > correct? Or do you just want a post-install message when the package is > installed to remind FreeBSD users about it? > > It seems to me a scary warning patch should be sent upstream. I meant post-install message. pkg and ports nicely check package signatures or fingerprints, but then npm defeats this outright, if installed. Yuri
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?550738B8.7010704>