Closed just-boris closed 8 years ago
+1
@just-boris Just tested this on a local project for which ied
was failing due to the lack of postinstall
, and it worked like a charm! Thank you
That's really great! Big fan of this!
The tests are lying, it is still not finished, but I made some progress there
Fixed, the actual reason wasn't related to postinstall feature. I sent another pull request aimed to fix it: https://github.com/alexanderGugel/ied/pull/90
This PR is rebased and contains that fixes as well.
@alexanderGugel it is ready to merge now :ship:
@just-boris Just merged the other PR. Will merge this one later today if possible. Thanks again!
Well, got this, I am going to fix it on the next week, too many things to do at the current
done
@alexanderGugel ping
As ied
is becoming a faster/higher security version of npm
, might it make sense to offer a global flag to turn off postinstall
hooks, or whitelist packages that are allowed to execute them?
@STRML Yes. postinstallation hooks (and lifecycle scripts in general) are in a sense a complete security fiasco IMO... I think they should actually be disabled by default....
I like this PR.
@just-boris Thanks for putting this together! Merged! Will be part of next release!
@alexanderGugel if you disable life-cycle scripts, how can one install native modules? The person installing the npm module might not even know the module is half-installed.
@vladwing You would have to decide on a case by case basis whether or not you want to build those dependencies. It sucks, but the alternative is to just hope that none of those 300 maintainers that are behind the subdependencies or some package suddenly turn evil and decide to take over a thousand machines in a matter of hours. I'm surprised nobody has done that already.
I totally agree it's wrong to allow code to run on your machine for no good reason. What I was suggesting is we need a way to alert that:
In that case ied should not install that module unless the user specifically permits it by adding its hash(not the package name/version anything else) to a whitelist.
How does it sound?
While npm is still dominant, that strategy seems fine, but if ied ever becomes popular, won't that just mean that a malware author has only a slightly higher bar to entry?
The idea of expecting every dev to audit all hooks also seems untenable. It's like we need a per-hash voting system. On Mar 23, 2016 10:45 PM, "Vlad Wing" notifications@github.com wrote:
I totally agree it's wrong to allow code to run on your machine for no good reason. What I was suggesting is we need a way to alert that:
- the module has a native module it needs built
- the module has a native module it needs built and life-cycle scripts
- the module has life-cycle scripts, but no native modules
In that case ied should not install that module unless the user specifically permits it by adding its hash(not the package name/version anything else) to a whitelist.
How does it sound?
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/alexanderGugel/ied/pull/87#issuecomment-200644449
OTOH, are there actually things that a postinstall hook can do that a module can't do upon a require()? On Mar 23, 2016 10:59 PM, "Samuel Reed" samuel.trace.reed@gmail.com wrote:
While npm is still dominant, that strategy seems fine, but if ied ever becomes popular, won't that just mean that a malware author has only a slightly higher bar to entry?
The idea of expecting every dev to audit all hooks also seems untenable. It's like we need a per-hash voting system. On Mar 23, 2016 10:45 PM, "Vlad Wing" notifications@github.com wrote:
I totally agree it's wrong to allow code to run on your machine for no good reason. What I was suggesting is we need a way to alert that:
- the module has a native module it needs built
- the module has a native module it needs built and life-cycle scripts
- the module has life-cycle scripts, but no native modules
In that case ied should not install that module unless the user specifically permits it by adding its hash(not the package name/version anything else) to a whitelist.
How does it sound?
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/alexanderGugel/ied/pull/87#issuecomment-200644449
Let's move the discussion about it in the issue: https://github.com/alexanderGugel/ied/issues/99
closes #82 Also, this feature was asked in #43 as the necessary thing to install
electron-prebuilt
.It is not ready to merge, yet, I'd like just share my results, and I want to add more tests before this will be merged.
And there is a thing with native packages. They require
node-gyp
to be installed. NPM carries bundlednode-gyp
command. To get this work with IED, we need to install it:npm install -g node-gyp
. Maybe it should be mentioned in the docs.