I recently contacted with commcomm at iojs.org and they kindly redirected me here.
This is the content of the email I sent:
Hi!
I just checked out your post on Medium (https://medium.com/the-node-js-collection/introduction-to-the-node-js-community-committee-and-our-focus-for-2018-c6872c1292e4)
Since this happened in npm
https://www.csoonline.com/article/3214624/security/malicious-code-in-the-node-js-npm-registry-shakes-open-source-trust-model.html (in which I nearly got affected with the crossenv package)
Also check this out:
https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5I think it would be interesting to have kind of a Seal of Approval for legit NPM packages.
For a time I couldn’t come up in my mind with who would be the right entity to put that seal, but I guess it could be you :)
As I see it, being able to see the seal icon in the npm page would be a good sign of quality for a package, and a way to be sure that its completely legit.I hope my words make sense and help in some way.
Have a great week,
Greetings
I actually raised that few weeks back:
https://github.com/nodejs/security-wg/issues/157
It is a great idea but looks like a product more than something that we
should maintain.
On 9 May 2018 at 11:40, Didac notifications@github.com wrote:
I recently contacted with commcomm at iojs.org and they kindly redirected
me here.This is the content of the email I sent:
Hi!
I just checked out your post on Medium (https://medium.com/the-node-
js-collection/introduction-to-the-node-js-community-
committee-and-our-focus-for-2018-c6872c1292e4)
Since this happened in npm
https://www.csoonline.com/article/3214624/security/
malicious-code-in-the-node-js-npm-registry-shakes-open-
source-trust-model.html (in which I nearly got affected with the crossenv
package)
Also check this out:
https://hackernoon.com/im-harvesting-credit-card-
numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5I think it would be interesting to have kind of a Seal of Approval for
legit NPM packages.
For a time I couldn’t come up in my mind with who would be the right
entity to put that seal, but I guess it could be you :)
As I see it, being able to see the seal icon in the npm page would be a
good sign of quality for a package, and a way to be sure that its
completely legit.I hope my words make sense and help in some way.
Have a great week,
Greetings—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/nodejs/security-wg/issues/251, or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHkOsECL-CMnx7x41P03IqMv3xKp-qRks5twseWgaJpZM4T4GK9
.
Commenting here to leave OP as clean as possible.
The "easy" way that comes to my mind is to include a fee to have a package reviewed by the team (being it kind of a "donation" and a "good faith symbol" by a particular interested in having that seal of approval).
Anyway I'd like this to be a debate and an open list of different proposals. If I come up with something else I'll post it here (unless you redirect me somewhere else).
Please dont take my words as a requirement, but as a proposal for improvements in a particular area that suffered (although quickly mitigated) short time ago.
And by the way, thank you for the awesome work.
I'm not necessarily sure that the security-wg (or any other group inside the Node.js umbrella) should certify modules. I can see several scenarios were we could have conflict of interests situations, and it could quickly grow out of hand.
I would live this problem to the ecosystem to solve, as there are already commercial products doing this (or similar things).
I agree with the potential conflict of interest, and I also think it would be difficult to have volunteers keep up with the work.
Regardless of who does it, I don't think a seal of approval can actually convey trustworthiness at anything but a point in time (and I'm skeptical of even that - who here puts any stock in websites with the various safe site logos). Even if the initial review could accurately determine that a package and all of its dependencies are free of backdoors, and without vulnerabilities that are exploitable merely by consuming the package (most vulnerabilities in packages are only exploitable based on the conditions of the package's use), that could change during the very next upload.
Most helpful comment
I agree with the potential conflict of interest, and I also think it would be difficult to have volunteers keep up with the work.