Hashes already exist. The problem is not a lack of integrity verification. We have that. The problem is not a lack of identity verification, we haven't really shown that NPM is lacking for that.

The problem is one of addressing. People want to get packages by a utf8 and natural language string, followed by a version boundary check.

If people referred to packages by their proper hash (as one does when referencing values from IPFS), then we wouldn't have this problem. If people had a public key and added a key fingerprint that would also work, but would not provide any additional verification to the code (1).

But people don't want to do this. They want to address packages by relatively simple and memorable tuples. That is the problem.

> They're also a bit like anti-vaxers. They irrationally refuse to participate in such a system to everyone elses' detriment. They're a bit like congress as well. They can't just look at a working system like single payer, and copy it.

You aren't even in Keybase. Have you personally participated in any keysigning parties? Can I find your public key details here?

I can answer yes to all 3 above questions.

> So now that I've maybe offended everyone, strike me down with down votes. That's the basics of how I would go about it though.

You haven't actually offended everyone. What you haven't done is say anything that anyone else doesn't know already. We all know how signature verification worksheet and we all have seen it's problems in real world implementations.

Please reconsider paragraphs like this.

(1) :: The thing this would do is make it arguably more secure contacting the author or maintainers of the code, although given GPG's failure to achive widespread adoption or integration in popular tooling, it seems unlikely it'll see much utility.

> If people referred to packages by their proper hash (as one does when referencing values from IPFS), then we wouldn't have this problem. If people had a public key and added a key fingerprint that would also work, but would not provide any additional verification to the code (1).

The hash naturally changes with every release. The key fingerprint doesn't. Updating your dependencies to new releases is much, much more frequent than adding a new dependency; people are willing to put more effort into the latter than the former.

> You aren't even in Keybase. Have you personally participated in any keysigning parties? Can I find your public key details here?

Keybase encourages poor practices and as such I avoid it. But I've been to keysigning parties and my key's details are published any number of places. (Since adding one more is all to the good, the fingerprint is 400A C7D2 E7A1 802A AE2C C459 B1E5 712A 6D03 3D61)

I don't understand why you feel that the keybase question was directed at you. The decision to enter into this part of the discussion definitely hurt otherwise interesting post.

It's true that a signature is based around a component with longer lifespan than a hash. However the management and trust of that component damages this argument severely.

I am unaware of any web of trust in active use that could operate a npm scale existing today. Could you share one with me?

Because it was a direct reply to the individual. If used as an example you should give context, otherwise your comments are directed towards who you reply to.

I didn't reply to lmm. I asked that question of danjoc.

Is that not obvious from scrolling?

Maven prevents this as well. To add a package to the global repository you need to show ownership of your namespace by posting your key, your website, your email, or most commonly these days your GitHub repo with identifying information. They do check to make sure you're allowed to use each package identifier.

All package submissions are hand-curated, which should catch typosquatters. There's a clearly laid out pattern for what package space you're allowed to use based on website or company ownership.

The system is highly automated but you have to wait to get your namespace approved. And it's not unrealistic to do this with npm, maven has somewhere over a million packages.

Actually Maven Central has about 200K packages. Incidentally about the same number of packages by which npm has increased in the last year. So no, a hand-curated submission process is probably not reasonable

[1]: http://www.modulecounts.com

Thanks for bringing the numbers to this.

NPM is such a massive package repository, it's sort of a testament to the community that these sorts of things don't happen more often.

Well npm requires you to login through their CLI in order to publish packages... The only difference is that you use a password instead of a key. No difference.

There's a huge difference. I could put my private key on a hardware dongle completely isolated from my PC environment if I wanted.

Npm is a public internet login with a password of your choosing, probably the most insecure form of authentication there is bar doing nothing. I could be brute forcing your login credentials right now and you wouldn't even know.

Also, users are safe even if maven itself is compromised because attackers still can't validate my private key. I don't think you could say the same about npm...

> Well npm requires you to login through their CLI in order to publish packages... The only difference is that you use a password instead of a key. No difference.

Yes, there is a difference, released must be digitally signed on maven. They are not on NPM, so a hacker can hijack your packages just by obtaining your npm credentials.

That's crypto 101 and you can't tell the difference?

> so a hacker can hijack your packages just by obtaining your npm credentials.

Couldn't they 'just' steal your GPG key as well? If someone can trivially steal a strong password from you, I'd worry about key material as well.

> That's crypto 101 and you can't tell the difference?

Please reconsider sentences like these.

The issue is of who to trust, the package maintainer or the package repository?

It is comparatively trivial to steal a strong password when it is transmitted over the internet vs local key material.

Nation states with bad certs (china has done this) can steal your password, npm can steal your password, npm can be hacked and leak passwords, npm can be subject to a NSL and forced to hand over passwords, etc, etc.

There is a big difference between passwords and keys.

> The issue is of who to trust, the package maintainer or the package repository?

Interesting framing.

> It is comparatively trivial to steal a strong password when it is transmitted over the internet vs local key material.

"Comparatively trivial?" I don't really understand this. I think you're suggesting that SSL cert attacks are easier than evil maid attacks due to this paragraph:

> Nation states with bad certs (china has done this) can steal your password, npm can steal your password, npm can be hacked and leak passwords, npm can be subject to a NSL and forced to hand over passwords, etc, etc.

Pardon me, but we're so far afield of the actual reality and the logistics that plague it that I decline to continue this conversation. If your adversary is nation states, you need a code audit (preferably several). You can't trust the signatures precisely because nation states are so well equipped to perform evil maid attacks.

It is 2017, evil maid attacks are the reality of the nation-state intelligence industry. We're seeing examples of them leaking out. They're in active use not just in a targetted mechanism, but speculatively! We have evidence intelligence agencies sell comprimised USB keys in bulk near the physical locations targets are likely to enter just to see if they can catch them in a moment of bad opsec.

Honestly this all feels like an attempt to say, "We should use GPG because it is good." Maybe it is. I'm not so sure, given the logistical reality.

But it wouldn't prevent the attack we see in the tweet above. It wouldn't make the root post of this thread correct. And I'm not sure it would accomplish what you're saying.

I'm sorry, I simply don't have time to chase this degree of abstracted hypothetical on a day old thread. I'm writing this final message here as a courtesy to those involved.

Just consider: - China issues a bad cert for npm - Slurps up all passwords from Chinese maintainers en masse

Now we can't trust any package published from China.

This is a bigger deal than a targeted evil maid. Distributed trust is better than centralized trust.

Distributed trust isn't better than centralized trust. In fact, it'll fail more often. It's just that the failures have varying degrees of severity.

Same principle as saying, "I will make my website more reliable by adding more servers." In fact you make it less reliable by doing so, you just change the severity of the problems.

And we've seen economic mechanisms compromise signed star-shaped trust graphs. E.g., all these atom plugins with features/spyware circulating because a small handful of companies think it's a business model. That's literally just buying the property from folks and ruining it. That's a very powerful attack against a web of trust and often cheaper than the fake cert attack, which is actually something you can guard against if you feel inclined to do so.

I guess you are aguing that you can't find 10-ish core npm maintainers that can be bothered to sign keys for well-known developers and bootstrap a web of trust that would then provide crypto attestation and perform basic gatekeeping on new package submissions.

It's not like you'd have to write a bunch of software. Also, other mission-critical open source repos have been doing this for at least a decade, so you don't even have to invent and validate a new set of processes for this.

For me, this calls into question the reliability and quality of the whole npm infrastructure and the packages it hosts.

Also, blaming users because npm (knowingly, through willful negligence) hosts malicious packages that typo squat on legitimate packages doesn't seem appropriate to me.

Yeah I'm not really following how users desiring a natural-language tuple-looking thing prevents proper identity verification. Even without namespacing strong identity controls (signature verification and preventing unauthorized accounts from posting under a taken name, for example) can prevent most attacks short of typosquatting.

Typosquatting is exactly what these malicious packages were doing. So you're agreeing that arguments re. identify verification is a useless distraction in this case?

You seem to have a handle on every aspect of this situation except what the actual attack we're discussing was.

It was typo squatting.

And you like to assume things.

Name canonicalization gets you part of the way there. But unless you want to go full-on namespacing then you must realize you are fighting a pointless battle.

You cannot reasonably expect to save users from themselves in every way.

Npm has namespacing.

One of the central problems of trust is that simple solutions don't scale well. Back in the day, one acquired a .com address by sending someone an email, because everyone knew everyone.

cross-env has had 1.3 million downloads in the last month. How many of those "hey, I am evaluating your library" emails can Dodds field?

Most node projects have hundreds of dependencies, if you include transitive dependencies. How many of those can you test?

If simple solutions worked, they'd be used.

Seems to scale well both for maven and basically all linux distroes, so there's that

I suppose that to get an estimate of the number of actual users, you have to scale that number of downloads down by a factor of 10 - 1000, depending on if and what kind of dependency cache JS toolchains use (esp. around CI/CD).

But yeah, everyone contacing an author directly doesn't scale at all.

I do see what youre saying but that 1.3 million downloads is not unique. That number is mainly comprised of automated builds pulling in the package (either directly or transitively), not new devs trying it out.

The part where you personally checked out who published the package and did due diligence would save you with NPM. That gpg protection scheme would prevent MITM attacks presumably. The presence of that key isn’t going to establish trust (though maybe you could build off of it so it’s foundational in that sense), or somehow enable the fbi and dod.

Why would the malicious user advertise the email associated with crossenv as kent@doddsfamily.com and not kent@dodds.family? Attacker could control the latter and hand you an evil cert?

One would think you would do more than send an email if you're trying to verify.

Websites, Twitter, Github, Keybase, etc..

It would be pretty hard for a bad actor to overtake the real author's entire Google-findable presence (assuming it's a reasonably popular package - why would you typosquat anything obscure).

If all you do is send an email, then you haven't really done "due diligence" in any acceptable form.

What if the attacker instead advertises `some-totally-different-person@gmail.com`? How are you even supposed to know who wrote the legitimate version of the package in the first place? And if you _do_ know who wrote the package, you don't need a GPG key to verify that; just their NPM username or even the actual, real package name will do fine for preventing this specific attack.

Should I book a plane ticket to go verify 2 pieces of photo ID in person?

This idea that everyone will just verify with the author is insane.

Presumably you inspect the thing you're including in your project first, if it seems trustworthy you mark whatever key you have as somewhat trustworthy. Then you inspect differences on version updates of your npm deps. If it still looks ok, you update your trust of the key.

It's the same way you gain trust in something in real life, by watching actual behavior of someone over time. It is just assisted by technology.

Then you can ignore the issue of email completely, because you're not basing your trust on authority of the author, but on his track record as determined by you.

I bet you'll not find many attackers who would maintain some hijacked package for a few months, before launching their attack. Original author would probably notice something fishy too, given enough time.

Do you do that with all the transitive dependencies as well? With npm's small library ethos, it seems like that way lies madness.