nym/npm+tlp

## npm+tlp
nym> i'm by no means a security expert, but i do have some basic security concerns about npm with respect to The Locker Project
 [1:30 PM] <isaacs> nym: yeah, i'm working on that :)
 [1:31 PM] <nym> cool, just mentioning it because our use case is protecting personal data
 [1:31 PM]  → liquidproof (~liquidpro@85-23-22-168.bb.dnainternet.fi) joined
 [1:31 PM] <isaacs> nym: the short answer for now is to set up a registry internally, configure couch to always require auth and only be accessible via https, and set npm to always-auth as well.
 [1:32 PM]  → cafesofie and tristanseifert joined
 [1:33 PM] <isaacs> nym: fairly soon, the registry will send out a cert for "registry.npmjs.org" (instead of one for *.iriscouch.com) and the client will validate that.
 [1:33 PM]  ⇐ dherman (~dherman@pool-108-15-60-35.bltmmd.fios.verizon.net) quit: Quit: dherman
 [1:33 PM] <isaacs> nym: you're not using npm to send and fetch your actual personal data you store, are you...?
 [1:33 PM]  → Gus and Cleer joined
 [1:34 PM] <nym> isaacs: no, but our connectors use node.js dependencies
 [1:34 PM] <Gus> hi
 [1:34 PM] <isaacs> nym: right, that's what i thought you meant.  so you wanna make sure that the deps come from who they say they come from, the registry is the "real" registry, etc.
 [1:34 PM] <nym> right
 [1:35 PM]  ⇐ Guest85763, explodes and Gus quit
 [1:35 PM] <nym> ideally we'd like to maintain our own registry to make sure the versions were the right ones
 [1:35 PM]  ⇐ Guest431 (~guillermo@c-67-169-69-156.hsd1.ca.comcast.net) quit: Ping timeout: 276 seconds
 [1:35 PM] <nym> so we can have a "stable" product, so to speak
 [1:36 PM]  ⇐ ericmuyser (~ericmuyse@216-40-104-58.ip.van.radiant.net) quit: Quit: ericmuyser
 [1:37 PM] <sechrist> woot, I set up a cheap little tv monitor to sit near my workstation dedicated to irc
 [1:37 PM] <nym> isaacs: please feel free to come by #lockerproject and talk anytime
 [1:37 PM]  → margle joined  ⇐ zastaph quit
 [1:38 PM] <isaacs> nym: looks interesting.  i'll check it out after node knockout if i'm still sane ;)
	nym> i'm by no means a security expert, but i do have some basic security concerns about npm with respect to The Locker Project
	[1:30 PM] <isaacs> nym: yeah, i'm working on that :)
	[1:31 PM] <nym> cool, just mentioning it because our use case is protecting personal data
	[1:31 PM] → liquidproof (~liquidpro@85-23-22-168.bb.dnainternet.fi) joined
	[1:31 PM] <isaacs> nym: the short answer for now is to set up a registry internally, configure couch to always require auth and only be accessible via https, and set npm to always-auth as well.
	[1:32 PM] → cafesofie and tristanseifert joined
	[1:33 PM] <isaacs> nym: fairly soon, the registry will send out a cert for "registry.npmjs.org" (instead of one for *.iriscouch.com) and the client will validate that.
	[1:33 PM] ⇐ dherman (~dherman@pool-108-15-60-35.bltmmd.fios.verizon.net) quit: Quit: dherman
	[1:33 PM] <isaacs> nym: you're not using npm to send and fetch your actual personal data you store, are you...?
	[1:33 PM] → Gus and Cleer joined
	[1:34 PM] <nym> isaacs: no, but our connectors use node.js dependencies
	[1:34 PM] <Gus> hi
	[1:34 PM] <isaacs> nym: right, that's what i thought you meant. so you wanna make sure that the deps come from who they say they come from, the registry is the "real" registry, etc.
	[1:34 PM] <nym> right
	[1:35 PM] ⇐ Guest85763, explodes and Gus quit
	[1:35 PM] <nym> ideally we'd like to maintain our own registry to make sure the versions were the right ones
	[1:35 PM] ⇐ Guest431 (~guillermo@c-67-169-69-156.hsd1.ca.comcast.net) quit: Ping timeout: 276 seconds
	[1:35 PM] <nym> so we can have a "stable" product, so to speak
	[1:36 PM] ⇐ ericmuyser (~ericmuyse@216-40-104-58.ip.van.radiant.net) quit: Quit: ericmuyser
	[1:37 PM] <sechrist> woot, I set up a cheap little tv monitor to sit near my workstation dedicated to irc
	[1:37 PM] <nym> isaacs: please feel free to come by #lockerproject and talk anytime
	[1:37 PM] → margle joined ⇐ zastaph quit
	[1:38 PM] <isaacs> nym: looks interesting. i'll check it out after node knockout if i'm still sane ;)