“I don't know what to say” – Backdoor in popular event-stream NPM repo

Just saw on Hacker News that the event-stream package may have a backdoor. Is this used in any SSB modules, and/or has this been discussed elsewhere on SSB? It's frustrating to see so much heat pointed at Dominic here, especially when it's obviously not a one-off attack.

@Mikael Brockman's laptop

I wonder whether we'll eventually see permissions for Node modules, where filesystem and network access would be rare. Unfortunately, right now we have thousands and thousands of packages with no restrictions, and exfiltrating data is just as easy as rm -rfing all the things.

The only upside is that [as long as you're using a lockfile] I think you're immune to deep dependency updates, but the long and the short of it is that downloading arbitrary software from the internet isn't any more secure just because you downloaded it with npm install.

@Christian Bundy

I wonder whether we'll eventually see permissions for Node modules, where filesystem and network access would be rare.

I believe this is one of the premises behind ryan dahl's new serverside js project: deno

@matt

What's your read on TypeScript? I've used it before and don't have any problems with the syntax, but I'm kind of hesitant to jump ship from JavaScript to a project I believe is maintained by Microsoft. Are my worries misplaced?

@Christian Bundy

I have not yet used it on any projects, but after my experiences in rust, I am quite keen to give it a try.

As for Microsoft's involvement: I trust them more than Facebook and react My take is that if we can get some good open source software sponsored out of these massive companies, then that is a good thing.

What's your read on TypeScript? I've used it before and don't have any problems with the syntax, but I'm kind of hesitant to jump ship from JavaScript to a project I believe is maintained by Microsoft. Are my worries misplaced? - @Christian Bundy

V8 is maintained by Google, so the same is true with Node.

But yes, Deno aims to solve the above problem, and a number of other problems such as getting rid of npm.

I find it hard not to disagree with the comments saying that Dominic could have done more to mitigate this situation. He also has indicated that he knows how to fix a known exploit in secure-scuttlebutt, but has so far been unwilling to fix the issue.

Can people who are not blocked by Dominic reach out to him and explain that it is his moral responsibility to fix this exploit before it is used to do harm to this network?

Let me apologize in advance for the flame war that is about to be directed at me for bringing this up again.

My fear is the next time we're on HN, it's because someone has posted abusive content here, and there's no way for us to delete it from our local machines and pubs.

I also wrote about this here: %MEE6w3S...

I wish I could fix this myself, but no matter how long I stare at the Flume DB code, I still don't get it. The only person I know on this network who understands Flume is the man who created it, Dominic Tarr.

If anyone else can fix this, and let Dominic off the hook, by all means fix it.

Dominic is wrong. If there's no authority, then there's nobody taking responsibility. This is a perfect example of how lack of organizational structure simply does not work in the real world. Dominic's other projects like scuttlebutt are likely doomed to fail as well because of his wrongheaded views about organization. - https://news.ycombinator.com/item?id=18535100

I don't want this guy to be right.

oh no the comments, so much open source consumerism: entitlement towards the productive labor of volunteers, no responsibility for those who take, all the responsibility for those who give, no reward if contributions go well, all the blame if things go bad.

cheers to you @dominic, sorry you're getting a heap of flak at the moment

@dinosaur I am getting some flak, but I'm also getting a lot of support from friends and others who see that too much is expected of maintainers.
I'm glad that this incident is bringing awareness to the absurd responsibility that module maintainers bear.

I havn't written anything that depends on event-stream in years. It was literally the first stream module that I wrote, 7 years ago. I've moved on significantly since then. Switching to pull-streams before I started secure-scuttlebutt. That's one of the major problems here, I was left with the keys to maintain something that I no longer used: I have no skin in the game. Expecting me to maintain this makes no sense.

nothing in scuttlebutt depends on event-stream!

btw, also my statement on this for the internet: https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a

Ouch, second frontpage HN article about this: https://news.ycombinator.com/item?id=18537583

I've been busy publicly defending Dominic out there on Twitter, but it's a bit scary (HN and its invisible tentacles always is scary or exciting or both) that at this point the entire programming community that sometimes follows news will know about this.

@andrestaltz I'm sure some of that will be scary, but I'm sure some will also get there's a systemic problem here.

not being a JS dev, and having very recently been burned by the supposed simplicity of JS and its ecosystem, I'm tempted to say this is a language specific problem. In any case, it's good to see attention being directed to a problem that affects probably literally billions of devices. Nevermind the haters on github and HN...

@dinosaur where's that Open Source Programmers Unite! thing you wrote when I need it...

@bobhaugen: https://blog.dinosaur.is/workers-of-open-source-unite/

I‘m glad to see much saner responses to https://gist.github.com/dominictarr/9fd9c1024c94592bc7268d36b8d83b3a than on the GH issue.

I’m still baffled by all the „but there are too many submodules to vet them“ argument. How can you go from „I recognized this problem“ to YOLO and then find some one else to blame when your shit catches fire?

@Dominic Kia Kaha!

Sounds like you have found yourself in the middle of a storm not of your creating.

It also sounds like people the people I respect are supporting you.

Security is hard, this reads like a planned, intelligent attack... so very hard to defend against... especially on zero time/money budget.

Thanks everyone. I've gotten generally supportive messages from many people who are actual open source developers, they understand how it! everyone else, well I think they'll figure it out eventually. I have been quite successful at ignoring them it seems (I havn't looked at hackernews, and wouldn't recommend that in general ;)

@neftaly I remember the good old days when "because there is already a module for everything" wasn't the reason to use node. That was a long time ago now.

This is an example case where organizational structures can be overcome in the real world. We should think about how to solve this problem. - @lzlr

Would you be willing to elaborate on this? I'm not sure I quite get what you're saying yet. Fork the thread if necessary, since this thread seems to be focused on the hn article.