npm2deb icon indicating copy to clipboard operation
npm2deb copied to clipboard

Published 20 hours ago verified publisher icon LeoIannacone

Should not use the wiki for the database

Open gtklocker opened this issue 6 years ago • 8 comments

Hi, thanks for npm2deb.

I noticed that every time it's pulling the db off the Debian wiki though which seems weird to me, considering that anyone can just edit the wiki. This means that anyone can just alter the behavior of npm2deb. Should we look into a more appropriate alternative?

Not sure if this has been discussed before, but I didn't find it anywhere.

gtklocker avatar Aug 13 '17 11:08 gtklocker

@gtklocker I consider it as a good feature (anyone can revert any mistakes too). It is only used for mapping of exceptions in naming https://wiki.debian.org/Javascript/Nodejs/Database and currently wiki registration is set to manual (your email needs to be whitelisted).

pravi avatar Aug 13 '17 11:08 pravi

@pravi it may be useful and flexible, I don't necessarily disagree. I haven't written or used this software for long enough to be the judge of that. But having it pull the database from the wiki every single time is kind of scary.

Even if the wiki users are vetted and everything, some random person can just break the software and it'll take a couple of hours in the very best case for someone to fix it. That's not how the model should work, and that's definitely not what I'm expecting when I'm running software installed from the original Debian repos. And we're still not discussing how a malicious third party could try to take advantage of this, and how this widely opens the attack surface of the program for no good reason.

Some ideas that come to mind are:

  • Maintainers can have a separate repo for the database to which only they will have write access and they can explicitly approve them without fear of breakage (and maybe after having some automated tests? like a linter at the very least?)

  • The DB can come packaged with the debian package on a best-effort basis. This also sheds some light on another issue, which is that packages names change between Debian versions. So that's why it would make sense to package different databases depending on which version of Debian runs on the host, or maybe do this kind of check before deciding on which (hopefully trusted at this point) database to download. Currently npm2deb treats all versions as one but that's just bound to cause issues.

gtklocker avatar Aug 13 '17 16:08 gtklocker

You can have the same behaviour (controlled source) if you apply some ACL to the wiki page: https://moinmo.in/HelpOnAccessControlLists

The idea of having it in a wiki page is that everytime you change the DB, you don't have to release a new version of the package.

LeoIannacone avatar Aug 13 '17 16:08 LeoIannacone

@LeoIannacone I do realise the benefits, have a look at my first point on the comment above. I think it's a nice solution that allows contributions in a pretty clean way. :)

gtklocker avatar Aug 13 '17 16:08 gtklocker

I see your point, I'm just saying that we can easily fix the security issue by making the wiki page writable only by few people.

LeoIannacone avatar Aug 13 '17 20:08 LeoIannacone

This indeed fixes my main concern yeah (that someone can just break npm2deb). Let me know how you'd like to proceed with this and if I can help in any way 😄

gtklocker avatar Aug 13 '17 21:08 gtklocker

@shanavas786 would you add the ACL to that page with a list of users we trust ?

LeoIannacone avatar Aug 14 '17 10:08 LeoIannacone

@LeoIannacone ok,

shanavas786 avatar Aug 14 '17 12:08 shanavas786