Uiterwijk: Fedora package delivery security

By jake On his blog, Patrick Uiterwijk writes about about Fedora packaging and how the distribution works to ensure its users get valid updates. Packages are signed, but repository metadata is not (yet), but there are other mechanisms in place to keep users from getting outdated updates (or to not get important security updates). “However, when a significant security issue is announced and we have repositories that include fixes for this issue, we have an ‘Emergency’ button. When we press that button, we tell our servers to immediately regard every older repomd.xml checksum as outdated.

This means that when we press this button, every mirror that does not have the very latest repository data will be regarded as outdated, so that our users get the security patches as soon as possible. This does mean that for a period of time only the master mirrors are trusted until other mirrors sync their data, but we prefer this solution over delaying getting important fixes out to our users and making them vulnerable to attackers in the meantime.”

From: LWN


Show-stopping bug appears in npm Node.js package manager

By Steven J. Vaughan-Nichols A new release of the JavaScript and Node.js package manager, npm, fatally changes file permissions. While that[he]#039[/he]s been fixed, the entire messy process revealed more fundamental problems. Are you a developer who uses npm as the package manager for your JavaScript or Node.js code? If so, do not — I repeat do not — upgrade to npm 5.7.0. Nothing good can come of it.

From: LXer