Verify (and possible mirror) NPM installers

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.

Other

43 stars 27 forks source link

Verify (and possible mirror) NPM installers #26

Open siepkes opened 6 years ago

siepkes commented 6 years ago

As discussed in #24 the openam-ui-ria project pulls in an NPM installer via a Maven plugin. We need a way to verify the NPM installer we downloaded.

This might require adding functionality to the com.github.eirslett:frontend-maven-plugin plugin. NPM provides a list with hashes of the installers (SHASUMS256.txt) and has also signed this list (SHASUMS256.txt.asc).

siepkes commented 6 years ago

@Kortanul FYI

Kortanul commented 6 years ago

@siepkes got your message about this, but am not sure if I'm the best one to take this on.

siepkes commented 6 years ago

@Kortanul Didn't mean to imply you should take it on ;-). The FYI was more about this is something that is also of value for IDM and so that you are aware of this "hole" in our verification process.