Skip to content

Instantly share code, notes, and snippets.

View seldo's full-sized avatar

Laurie Voss seldo

429 followers · 8 following
View GitHub Profile
@seldo
seldo / typosquatting.md
Created June 25, 2016 01:16

We've had a lot of interest in this thesis. We were a little less defensive this time given that the author made clear that several major package managers are vulnerable in the same way.

We delete typo-squatting when it is brought to our attention. Usually this happens when somebody else wants to use the name, in which case our support team will transfer the empty package to them. Sometimes people will notice a single user squatting a large number of names, and then we'll delete them, but the registry is too big and our support team too small to do this all the time. We do not automate removal of squatting because it's too easy to game: whatever you decide is the rule to be a "real" package, somebody will create a package that meets that and use it to squat on things.

As for the security risk, it is pretty small. The ~600 installs he counted over several days from npm represent just 0.02% of the number of installation sessions npm records

@seldo
seldo / meetings.md
Last active December 7, 2015 17:46

How to have a good meeting

This is an opinionated guide to running meetings by me. It's not the law.

Good meetings are:

  • Infrequent
  • Focused
  • Involving as few people as possible
  • As short as possible
@seldo
seldo / gist:fbafce4b7951d3930fdd
Created November 10, 2015 04:56
view Main {
<div>
<h1>Hello, world!</h1>
</div>
$ = {
color: 'darkgray',
padding: 20
}
}
@seldo
seldo / notifcation.md
Created October 15, 2015 18:01

The notification you received was the result of an audit of the registry for credentials that appeared to have been leaked as part of a package publish. The credentials were sitting in a file in the same directory as your module, and got published along with all the other files. To ensure your security, we invalidated all such credentials.

The audit was a combination of manual and automated inspections, so it's possible that your notification was the result of a false positive. We're currently looking into your case specifically, to get details of the exact tarball and which file triggered this. We'll update you as soon as possible.

[for the user who complained this was late, and only that user]

You're right that this notification is long after the fact. As of today, a continuous scanner is in place such that notifications will be instant in the future. We were aware that credentials could leak in this way, but were surprised by how widespread it had become, hence only implementing the scanner this week. W

@seldo
seldo / gist:fe1ec302b95d408711fb
Created October 13, 2015 21:30
makeFolder /Users/seldo/projects/flint-test/appname
Looking for updated scaffold in https://github.com/flintjs/scaffold
Check for new scaffold SHA in... /usr/local/lib/node_modules/flint/lib/bin/scaffoldSHA
Error reading scaffold file { [Error: ENOENT: no such file or directory, open '/usr/local/lib/node_modules/flint/lib/bin/scaffoldSHA']
errno: -2,
code: 'ENOENT',
syscall: 'open',
path: '/usr/local/lib/node_modules/flint/lib/bin/scaffoldSHA' }
Copy new SHA /usr/local/lib/node_modules/flint/lib/bin/scaffold/.git/refs/heads/master /usr/local/lib/node_modules/flint/lib/bin/scaffoldSHA
Error { [Error: Command failed: /bin/sh -c git clone --depth=1 https://github.com/flintjs/scaffold /usr/local/lib/node_modules/flint/lib/bin/scaffold
@seldo
seldo / hmmm.md
Created July 13, 2015 15:14

But it doesn't end with this. The problem with the strategy "define what is acceptable and politely exclude those who don't agree" is that it is a recipe for keeping the marginalized marginal. Some of the straight white men of tech don't live in a reality where women and PoC are equally good at understanding technology. Some people are die-hard racists or sexists. Some people think gay marriage is wrong. They aren't doing it because they're evil, they're doing it because they sincerely believe they're right and others are wrong.

Your goal cannot be to directly change somebody else's definition of acceptability, or force them to change their rules. The supreme court agreed that gay marriage was not a constitutional right in 1972 before reversing itself in 2015. It's not because the court is fickle. It's because the court is made of people, and those people in 2015 came from a diff

@seldo
seldo / gist:3d8376c02a7994e56487
Last active August 29, 2015 14:24
I Am The Very Model Of A Modern Package Manager
FROM: "Revin Guillen" <rg@sevenite.com>
My reply to https://twitter.com/seldo/status/618150325636108289 won't fit in a tweet.
I hope whitespace is preserved here.
I am the very model of a modern package manager
I've information current, deprecated in my cache-ager
I know the code you write has other modules ("mod-you-uhls") it depends on
And I collect it all for you from first the moment you log on
@seldo
seldo / gist:05f80e2f4ac6588a5560
Created March 31, 2015 04:35
<134>2015-03-31T03:06:22Z cache-ord1724 fastlylogs-1-east[270882]: 23.253.224.36 "-" "GET /npm/public/registry/g/grunt-bower/_attachments/grunt-bower-0.4.2a.tgz" 200 "(null)" "(null)" "(null)" "HIT" "shield__cache_ord1724_ORD__ord_il_us" "cache-ord1724-ORD"
<134>2015-03-31T03:06:22Z cache-ord1730 fastlylogs-1-east[39806]: 23.253.224.36 "-" "GET /npm/public/registry/g/grunt-bower/_attachments/grunt-bower-0.8.0.tgz" 200 "(null)" "(null)" "(null)" "HIT" "packages_" "cache-ord1730-ORD"
<134>2015-03-31T03:06:22Z cache-dfw1834 fastlylogs-1-east[39806]: 23.253.224.36 "-" "GET /npm/public/registry/g/grunt-bower/_attachments/grunt-bower-0.8.4.tgz" 200 "(null)" "(null)" "(null)" "HIT" "shield__cache_dfw1834_DFW__dallas_tx_us" "cache-dfw1834-DFW"
<134>2015-03-31T03:06:22Z cache-dfw1821 fastlylogs-1-east[39806]: 23.253.224.36 "-" "GET /npm/public/registry/g/grunt-bower/_attachments/grunt-bower-0.11.0.tgz" 200 "(null)" "(null)" "(null)" "HIT" "packages_" "cache-dfw1821-DFW"
<134>2015-03-31T03:06:22Z cache-ord1728 fastlylo
@seldo
seldo / gist:e882400411bb54b485f7
Created June 12, 2014 07:57
00:10 seldo: all: we are seeing another huge burst of 503s
00:10 seldo: What's up?
00:11 pwohlers: checking
00:14 seldo: All our internal checks are green and I have manually verified no problems hitting our servers
00:17 pwohlers: seldo - looks like we're seeing packet loss out of SJC
00:17 othiym23: pwohlers: fwiw, we (npm) are getting error reports from users in Australia, who are also saying they're having problems with reddit
00:17 othiym23: not implying causation, just a data point
00:18 pwohlers: thanks
00:18 seldo: I am seeing 503s in our logs (from fastly) from every data center: FRA, SJC, LAZ, ORD, LCY, AMS, etc.
00:19 pwohlers: where are your origins seldo ?
@seldo
seldo / gist:ecb4c916dea0024e399e
Created June 10, 2014 21:00
npm info it worked if it ends with ok
npm verb cli [ 'node', '/usr/local/bin/npm', 'install', 'npm/npm2es', '-ddd' ]
npm info using npm@1.4.14
npm info using node@v0.10.26
npm WARN package.json www-hapi@0.0.3 No repository field.
npm verb readDependencies using package.json deps
npm verb cache add [ 'npm/npm2es', null ]
npm verb cache add name=undefined spec="npm/npm2es" args=["npm/npm2es",null]
npm verb parsed url { protocol: null,
npm verb parsed url slashes: null,