-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure Distributed Registry for deno #3616
Comments
I'm going to compare this with Go which has a similarly distributed module system as Deno:
Also Go uses standard https:// and ssh:// git operations to fetch modules. That means if you trust the domain you can trust that the communication to that domain is secure because of https. |
thanks @lucacasonato that gives a lot of clarity. Are we planning to build similar proxy system for deno too or is it already built? |
It doesn't exist right now, and I don't know if it is something that is planned. @ry? |
https://deno.land/x/ is effectively the equivalent to the proxy and documents on that page how other packages can be added. The optional support for lock files (#3231) was the solution for sub-resource integrity to compliment this. |
Well no because it doesn't do the immutability caching. Go Proxy does do
that (pretty much the entire point of go proxy).
But yeah, pretty unimportant if you use the lock files.
…On Wed, 8 Jan 2020 at 00:12, Kitson Kelly ***@***.***> wrote:
https://deno.land/x/ is effectively the equivalent to the proxy and
documents on that page how other packages can be added. The optional
support for lock files (#3231 <#3231>)
was the solution for sub-resource integrity to compliment this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3616?email_source=notifications&email_token=AB3XNVIOYUCRE3KHR6MDWADQ4UD5ZA5CNFSM4KD3HEH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIKTWGI#issuecomment-571816729>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB3XNVMKJRPJNVMV3A6DH4TQ4UD5ZANCNFSM4KD3HEHQ>
.
|
@ameerthehacker @lucacasonato, those are interesting issues worth thinking about. The lock files can ensure that I always get the same dependencies that I get the first time when I installed them, but it doesn't ensure that I get the right files for the first time to begin with. Let's say that a malicious user creates a useful library with no bad code. Something that helps with handling credit cards. It's all nice, people audit the code and use it with lock files. One day, the author decides to steal the data and suddenly publishes a new version and changes the tags on GitHub so that it looks like the old version. From that point in time the following happens:
This is a problem of mutability of GitHub version tags. Possible solution would be to have deno.land/x or a service like deno.land/x to either:
Currently, deno.land/x seems to return the file contents instead of redirecting to GitHub. I am almost sure that it used to redirect to GitHub before. I don't know if the current behavior is getting the original file once with a guarantee of immutability, or is it just a caching for convenience. I suppose it has no guarantees or otherwise the code for master branches would never get updated. In any case, what you are proposing here might be done as a third party service with no need to be centralized. In fact, it would be interesting to see other services like deno.land/x to demonstrate different ideas to implement a service like this. |
Also it is very important to add statistics to help developers to pick top modules |
The quality or usefulness of a module is not determined by its statistics, for example https://www.npmjs.com/package/isarray. |
@kitsonk Good point 😄 return toString.call(arr) == '[object Array]' https://github.com/juliangruber/isarray/blob/master/index.js#L4 |
I install git(hub/lab), etc. hosted modules over SSH. Is it possible for deno now or later, to provide such ability to load modules that are protected by SSH keys? |
Using an ssh key only validates that you are who you say you are. Why is this a requirement for being able to download a module? |
@kitsonk, the requirement is to download private modules. In a distributed software architecture, some modules could need to be reused in many or all services. So far, I had used github, gitlab, bitbucket along with ssh keys to reuse those modules. I am wondering how to securely distribute private packages across services in deno. |
SSH really isn't conducive for single file fetches. GitHub supports passing an auth token as part of the URL which would give you access to a private repo (and I assume it would work with other services as well). Still that is likely not sufficient as it requires you embedding your token in the code. I opened #5239 which would mean it would be passible on the command line. |
We discussed options for a distributed / decentralized registry for Deno in a different issue, if you're interested, have a look at denoland/dotland#406. I've started working on a registry a while ago, which should solve most of the problems we talked about. For a more detailed explanation, have a look at denoland/dotland#406 (comment) or check out the website https://deno.to/. It's still a work in progress, but I hope to get a first version up and running soon. |
Please don't forget about private registries. Many companies want to use their own private modules in projects. |
I might be a little late to this conversation, and I apologize for that. I think that it would be helpful for me to mention a module registry and CDN (of sorts) that my team and I developed: https://nest.land. Q: How do we ensure the immutability of those packages? Q: How to we take care about the security vulnerability in them (or we don't do anything about it) Q: Since we have a set of distributed packages from various packages, how do Deno users know which source to use for the same package A free, open source, and decentralized module registry/CDN is simply my take on what the Deno ecosystem could benefit from. |
deno.land/x has gotten a major upgrade recently (https://deno.land/posts/registry2), with the main change being that all code being served is now immutable. Also there are other registries like nest.land that provide even stricter immutability guarantees. I think this is mostly a userland issue and deno provides the necessary tools to prevent rogue modules (secure by default, lock files). @ameerthehacker can this be closed? |
awesome @lucacasonato this looks greats, thanks |
Deno is goal to create a distributed package management solutions but
Thoughts on the solution
Is is possible that we create a registry system that anyone can host to share their packages (we do security checks, immutability support in the service) and is there is a way by which deno can detect that we are downloading packages from our service hosted registries securely without being fooled
The text was updated successfully, but these errors were encountered: