Embrace...
<title>
On Monday GitHub announced it plans to buy NPM Inc, which operates the npm repository relied upon by 12 million JavaScript developers. The deal, announced by GitHub CEO Nat Friedman and NPM co-founder Isaac Schlueter, brings another major piece of open source code infrastructure under the control of GitHub's owner, Microsoft …
Which PKI? Who checks dev certificates? How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?
And still, the infrastructure to make it reliable won't be nor simple nor cheap.
You may trust your torrent sources, but I won't bet any real application and its customers on code downloaded by whoever happens to run a node.
> Who checks dev certificates
Your package manager. Every package manager which expects signed code has a mechanism for telling it which signatures are acceptable for which packages/repositories.
I imagine the chief difference from today's centralised systems would be that a change in ownership of a package would be an explicit action every package consumer would have to make (accepting the new dev's signing key for that package), rather than delegating that decision to the controllers of the repository.
> How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?
Trivial. It's called "creating a new package".
But how difficult is it to take that package, modify it, re-sign it with a certificate people trust, and pass it off as the same package from the same source as before?
Barring a disclosed private key, practically impossible.
No, who checks certificates emitted to developers - which means who manages the PKI and ensure nobody can modify a package and try to disguise it as the original package when requested from its node.
As long as there is a "centralized" repository, it's harder to do that - otherwise, it becomes much, much simpler.
To counter it you would need to pin each package to a given dev cert (and have a mechanism to handle that), and each time a certificate is renewed or maintainers change, if the applications downloads code as it's run, it will break. Less issues of course if the package is not downloaded dynamically - but if you don't have to serve packages to millions (or billions) of user continuously, you will need far less resources as well.
> No, who checks certificates emitted to developers - which means who manages the PKI
Why do you need someone as gatekeeper of certificates? Individuals can and do create their own certificates for use with SSH, and that system has worked securely for decades.
You don't need GitHub or whoever to decide who can SSH to your server so, for the technical user, why is it necessary to have a middle-man deciding whose software you can run?
> ensure nobody can modify a package and try to disguise it as the original package when requested from its node.
If code is properly signed, you can't. Doesn't matter where either the certificate or software came from.
However, if you're just relying on a centralised repository, then the centralised repository can decide to let someone new modify a package and disguise it as the original.
> To counter it you would need to pin each package to a given dev cert (and have a mechanism to handle that), and each time a certificate is renewed or maintainers change, if the applications downloads code as it's run, it will break.
Yes. Lots of software already works like this. Chrome does this. Linux distros do this. Microsoft Windows does this.
If you know that a signing cert is expiring, you generate a new one in advance and bundle it with an application update, signed with the old cert so it's accepted. Then, when your old certificate expires, the application already has the new one in place to receive further updates.
Oh, I think we are firmly in Extend territory here. Microsoft has officially Embraced Linux for a while already and, with Github now in its pocket, it is in the process of taking control of the major code repository of most, if not all, Open Source projects.
The Extinguish step is going to be interesting to watch. Will Microsoft force all code to talk to Azure before executing ? Or will it find some less obvious way to control everything ?
Make your bets, the wheel is turning.
"The Extinguish step is going to be interesting to watch"
FFS, why does this outdated conspiracy theory continue to be peddled? Linux has basically won everywhere apart from the desktop and now Microsoft has no choice but to coexist with Linux.
Microsoft's hostility to Linux and all things open source ended the day that brain sloth Balmer left Microsoft back in 2014.
(from a Linux user)
> FFS, why does this outdated conspiracy theory continue to be peddled?
Because it's not, and never has been, a "conspiracy theory". It was an explicit business strategy used by Microsoft.
> Linux has basically won everywhere apart from the desktop and now Microsoft has no choice but to coexist with Linux.
Yes, they have been strongly embracing Linux, even so far as making sure they have a (very expensive) seat at the table of the Linux Foundation. That gives them a lot of strategic influence, and if you think they don't intend to use that to pursue their own goals, I have a bridge to sell you.
> Microsoft's hostility to Linux and all things open source ended the day that brain sloth Balmer left Microsoft back in 2014.
It takes a long time to turn a supertanker, even when the owners agree on the change of direction. There is a lot of cultural and management inertia to overcome in a company that size.
This was bound to happen, nobody wanted to pay $7/month per user for a "professional" version, so when venture money was gone, selling user data would be the only option left. I bet we'll see some azure-npm-github-linkedin synergies in selling your userdata.
"Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it," said Friedman in a blog post.
"Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that broke it," said Friedman in a blog post.
I predicted Microsoft's acquisition of NPM a couple of weeks after GitHub.
The secret is; they don't give a shite about open-source or developers; what they are aiming for is to control the "professional employment market".
LinkedIn, GitHub and NPM are the core ways where a developer can show off their skills / projects and try to obtain a job with a high salary. Microsoft wants to control this so that they can stifle developers who do not conform and ultimately damage innovation that is not "theirs".
So next predictions:
Stack overflow - My number one contender. I imagine they are already in negotiations.
Unity 3D - So many kids use this to try to show off their game development skills on their portfolios. I think it has a high chance.
Now it is just a waiting game.