Christopher Allan Webber

npm disaster unfolding

Christopher Allan Webber at

When people hear @David Thompson and I complain about what a disaster npm's packaging is, I think we get a lot of skepticism. And I can't blame people, in the sense that most users aren't seeing problems, and it's so popular, so must there really be problems?

Turns out there are really problems.

After a trademark takedown, a prominent contributor to npm took down many of his packages. (Discussion on Reddit and on HN.) But it might be a lot worse: demonstration of easy hijackability has been shown (though maybe this particular one is not so bad, the situation is certainly bad).

Kind of relatedly, it looks like Guix may get npm packaging importing this summer through GSoC; there is at least one promising proposal, so I guess we'll see.

pingi, jrobb, Claes Wallin (韋嘉誠), Daniel Koć and 5 others likes this.

Claes Wallin (韋嘉誠), jrobertson, David Thompson shared this.

Show all 7 replies
(it *is* relevant to the story, in the sense that if everybody inlined their small dependencies, the attack surface for a thing like this would be smaller, but it wouldn't *remove* the issue.)

Claes Wallin (韋嘉誠) at 2016-03-24T10:42:43Z

In a sense, Guix also has some risk in case someone takes down a source package. Guix has a cache of packages on Hydra, so it's unlikely we'll totally lose things entirely for current packages, but for older versions of Guix, history may bitrot away.

Content addressed storage may be the right and necessary answer indeed.

Christopher Allan Webber at 2016-03-24T16:17:06Z

Claes Wallin (韋嘉誠), X11R5 likes this.

Christopher, many thanks for linking Armins article. It clearly shows why we probably never will see programs like server in e.g. Debian.

Debacle at 2016-03-26T05:56:34Z