
blip.strongloop.com is dead – what is this? - kolodny
https://github.com/strongloop/loopback/issues/1079
======
hitekker
Between this and the other article regarding the death of ExpressJS-- is IBM
is a good contributor to the JS open source community?

~~~
__derek__
Did you read the GitHub thread on Express? The project is still very much
alive, but its internals have been broken out into standalone packages, so the
only commits to Express itself are version updates. That issue was created
based on a misunderstanding.

~~~
plorkyeran
If you read further down on the Github thread, the guy who did the splitting
out is no longer working on the project and it's now fully in IBM's hands, who
aren't doing much of anything.

~~~
__derek__
I just saw that! I read it a few days ago, but went back to catch up. I came
back to edit my comment.

------
brillenfux
I have long since come to the conclusion that most of the nodejs ecosystem is
rotten. I don't even know where to begin.

I'm certain this is a mentality issue more than anything.

~~~
untog
I just think that the nodejs ecosystem moves fast. But anything involving
StrongLoop/IBM is immediately suspect.

~~~
edwinnathaniel
Just strongloop is enough. IBM acquihire them and let they do what they have
been doing...

------
amluto
One might reasonably wonder whether executing npm outside a sandbox is a good
idea under any circumstances.

~~~
avita1
But they can't be stealing any identifying information right? At best it can
count the number of times the package was downloaded.

Isn't the solution for npm to have tighter controls on where it will download
packages from?

~~~
STRML
It depends on whether or not it actually delivers a payload. If it does, then
it can use a `postinstall` hook to execute absolutely anything it wants, under
the context of the user.

This is why you should always shrinkwrap and run a private npm repository in
production. Anything less is opening you up to remote takeover at the whim of
a single package publisher.

------
robdodson
Source:
[https://twitter.com/samccone/status/688809217692545026](https://twitter.com/samccone/status/688809217692545026)

------
dexwiz
Analytics shouldn't break applications. If anything npm should provide a way
to opt into analytics and provide them to all publishers.

~~~
kuschku
Even worse, they’re doing analytics without opt-in, or providing a way to use
the package without analytics.

This is clearly inacceptable.

~~~
forgottenacc56
Unacceptable

~~~
kuschku
See, this is why I don’t like english. in- and un- both should mean the same,
why I can’t I use them synonymously?

~~~
majormjr
Inflammable means flammable? What a country!

~~~
mchahn
I'm not sure what country you are talking about. Inflammable means the same in
every english-speaking country.

~~~
trav4225
The commenter was making a comical reference to Yakov Smirnoff:

[https://en.wikipedia.org/wiki/What_a_Country](https://en.wikipedia.org/wiki/What_a_Country)!

~~~
throw_away
Specifically, the Simpsons' reference to Yakov Smirnoff:

[https://www.youtube.com/watch?v=Q8mD2hsxrhQ](https://www.youtube.com/watch?v=Q8mD2hsxrhQ)

------
nodesocket
`curl -i
[http://blip.strongloop.com/loopback`](http://blip.strongloop.com/loopback`)
returns content from S3. Are we suggesting then they are using S3 bucket
analytics to see how many times a package has been downloaded then?

------
cpeterso
Should the HN title include "(2015)"? This StrongLoop issue was reported in
February 2015.

~~~
STRML
Perhaps. I opened it a long time ago, but I've still been trying to keep it
alive in the hope that somebody from Strongloop will actually comment on it.

In the meantime, if you use a Strongloop package, fork it and remove the
optionalDependency.

