Closed taoeffect closed 9 years ago
taoeffect
commented
9 years ago Consider whether it's more secure to use, for the moment, the git hash, as we do here:
"native-dns": "git+https://github.com/okTurtles/node-dns.git#08433ec98f517eed3c6d5e47bdf62603539cd402"There is the annoying issue of initially retrieving DNSChain from NPM, and why debian packages may be a better option (as they support signing).
SGrondin
commented
9 years ago Yes Yes Yes to all of the above.
Dependencies should be "1.2.x" for example. Before each release, someone needs to go through all of them, check for minor version (the middle number) upgrades and see if there are breaking changes. That should give us a good incentive to reduce the number of dependencies as well! Less dependencies means less surprising behavior, easier codebase to get into and less surprises which means more contributors.
Debian package is good, but we could also just ship a tarball with an md5 hash. Debian packages can be complicated to make. Using checkinstall helps, but there's still a lot of black magic involved. And then you need to follow the Debian flow for releases and it's too restrictive at this point for a fast moving project like DNSChain.
"x.x.x"NOT"^x.x.x"or"~x.x.x"CONTRIBUTING.mdfile to make clear that adding dependencies is discouraged. Removing dependencies is encouraged. And all dependencies must have precise version numbers specified.See https://github.com/npm/node-semver for versioning semantic details.
To be clear, this is still insufficient security. We need cryptographic signatures for all dependencies, but that's a ways away because NPM doesn't support that (I don't think).