"Please, try harder or get forked. Not sure how else to say that."
I think it has become more of an issue in general as the discussion of software projects has moved away from mailing lists and newsgroups to blogs and other more centralized discussion forums.
I recently saw similar censorship happen at Opera's blogs. I would read some of the comments one evening, and there'd be some good discussion about features that the newer versions of Opera's desktop browsers are still missing. They weren't always positive comments, but they'd be relevant and remarkably civilized given the circumstances. Then I'd read the same blog post a day or two later, and entire discussion threads full of useful content would be gone.
Criticism and negative discussion is often the most valuable that there is. It often highlights real problems that need to be solved. To delete such commentary is not at all helpful, and actually probably quite harmful.
Here's a link to the full text: http://blog.npmjs.org/post/78085451721/npms-self-signed-cert...
Hey. Crazy kids. This probably needs to be that one event where you sort of realize: "Oh. Shit. Other people...like...use this & stuff. We need a damn road map and a release schedule. Stop smoking dabs all day, breh."
Now is also a great time to learn how to think about the potential ramifications a production push will have prior to making said production push. And, if your change might impact some or perhaps even all of the other people who use your technology, then some degree of coordination - perhaps an email? - would be nice. It's one of those things that will help make you look professional. I suck at professionalism. You have no idea. But, even I know this much.
Because, right now, I sort of feel like I'm asking some very rightfully fearful people to consider entrusting perhaps their actual career into the development of technology they need to succeed and thrive. And, I just started recommending Node.js - with a caveat - that npm basically sucks. I hate having to do that and it needs to stop.
So, here we are.
Your words continue to be one thing, and your actions continue to be quite another. If it is even possible to break a tool like this, that tool is not enterprise grade. If there is nothing that can be done to successfully insulate a tool from unexpected behavior like this, then that tool scores less in evaluations that consider the risk of using it.
npm, at this point, has more going against it in the discussion than going for it right now. Events like this are, in the grand context, very significant and telling. They are also ill-timed. Because big, important decisions are trying to happen right now regarding the use of Node.js. It is literally on the cusp of going mainstream. And, that seems to be generating some pressure that at least one team (npm) doesn't seem to be equipped to handle.
So, before you find yourself facing a community that forks instead of trying to work with you, I would like to just make a simple recommendation. In the future, you seriously need to sit and think about the potential ramifications of a production push. And...this is the important part...if those changes are going to have a wide impact on your users - send some sort of email WELL IN ADVANCE. A flippant blog post the day of is not Doing It Right™.
Because, and I feel like I might not only be speaking for myself, I'm not going to allow the promise of Node.js to be voided by the lackluster and problematic performance of its weird bolt-on archive service. Someone, perhaps even me (as in: today), will simply replace you with a workable, decentralized solution that enterprise can specialize to purpose and communities can use to grow and thrive.
If you have any questions, ask somebody. Anybody. If you're struggling with some concept of enterprise grade operations, what people expect of you and how you can succeed with events like this in the future, I'm positive every capable person here would provide some level of guidance and support. We want you to succeed.
Please, try harder or get forked. Not sure how else to say that.
I didn't delete your comment. I'll look at the moderation queue and see if maybe disqus is set to auto-hide after some time or something. I'm sorry for the confusion there.
A lot of this is also in how they manage the fallout of this decision - the "Streisand Effect" may come into play here...
The "canonical" resource for my comment on npmjs.org today can be found here:
That is my personal blog running on my personal server on a DSL line that I can't afford while about to go homeless. I have no choice. I have to speak up and fight for what I want to be using or throw in the towel.
What would you do?
So it sounds like it is not ready. _This_ drama, tangled slinkies of callbacks, drama with the Node.JS contributor that got pushed out because if "her" vs "his" pronouns and so on. Nothing of that says it is ready. So I pretty much agree with your IT department. Sorry.
> And, I'm sick of failing because other people suck, won't learn, won't adapt, won't address problems or make progress.
Maybe they did, they just didn't arrive at the same conclusion as you. Maybe they are even right.
Devils advocate, is it actually ready? Especially in light of the incompetence on display with this particular issue?
The main problem with Node.js is that the libraries out there simply are not good, are broken / don't do what it says it does, or have critical issues outside of the most basic use cases. I'm talking about the popular libraries (like Socket.io) down to all the ones being contributed by the community. I've found flaws in every single library I've used so far, and they are flaws not present in their Python and Ruby counterparts.
Error handling in Node.js is one of the worst of any language.
NPM is now deploying breaking changes to production, without apology.
I've spent 2 years in this ecosystem, and pretty much anything else feels liberating in comparison, be it Python, Ruby, Go, Erlang, etc etc.
The only thing Node.js has going for it is a community of front-end developers who want to dabble in backend architecture, but I just feel this whole entire ecosystem is too fragile for my tastes.
Like MongoDB, as people begin creating successful businesses out of it and reach a certain scale, similar articles bashing Node.js are all but inevitable.
As to the existing libraries, I find a bigger issue is sometimes the number of bad libraries that have become more popular than maybe better libraries. That and some bits have been abandoned for some time now. -- That said, I find that since most of them are out in the open, it's easy enough to fork and address the issues at hand, if the upstream author is unresponsive, then change the name in package.json, and publish your own version.
I've seen far worse error handling... you can use try/catch/finally, which is pretty standard, and most internals will do this for you, and return the error against the callback.
npmjs.org isn't the entirety of the node community, and I think this particular instance was a bit of a mistake, but perhaps not having npm fallback to regular CAs was also a mistake... if they'd done that, it would have continued to work. I don't know of a way they could have done this without breaking something... The lack of advance notice is the biggest issue, but many/most wouldn't have seen it anyways.
With node/npm it's easy enough to create more/smaller packages/modules that are easier for larger teams to maintain. We've been using git+ssh:// references for our internal packages.
I've spent the better part of 4 years following, and over 3 using node.js. I find that there is a huge mix of developers in the larger community, and that it's a lot like running with scissors at the moment, but things will stabilize when the dust settles a bit. I think it's uptake has been far faster than Ruby/Rails and there have been some growing pains.
More than the front end developers, we get to have full stack in one language for a lot of environments. We also have the benefit of a few very large companies participating (Yahoo, Walmart, and others). I'm at GoDaddy in Platform and Commerce development, and a huge portion of our new development server-side is going with node.js
I don't doubt that there will be detractors regarding the use of node.js in certain environments. I wouldn't use it for say image processing... but I might use it as a manager against a queue which launches image processing. It's a matter of using the right tool for the job.
Guillermo Rauch is working on a complete rewrite (engine.io), but it's been very slow going. I don't envy him; socket.io has gotten very popular very fast, it's complicated software, and people expect it to be much more polished than it is.
You listed some downsides, but none of them are actually breaking problems that block running a stable node production system.
When you use redis-store, after running for a while, it puts your CPU usage at 100%, and you have no idea that it was because you used redis-store.
Socket.io therefore is only really optimized for running a single process, which of course breaks down as soon as you have any significant I/O throughput or hit a certain # of connections.
Same issue happened to me when using the Node zmq library. Inexplicable increase in CPU, which took 3 months to later fix.
I could really go on, but these are mission critical libraries that have obscure bugs that are extremely difficult to track down and will bite you in production.
Before I'd ever consider using Node.js again, I'd wait for
- 1.0, this is taking too long. And even when they release a 1.0, it is more likely to be for marketing purposes than actual product stability.
- Library Maturity (maybe another 2-3 years)
- Better error handing. Nothing is worse than being left wondering why your server is failing in a production environment without relevant context and information.
Another problem with the Node.js community (not all, but a lot) is that you have all these former front-end guys who can build great APIs with pretty web sites that make you believe the library is battle tested and safe to use, when in fact nothing is further from the truth.
For 3 years without a fix, you'll have been able to DDOS your own server with socket.io: https://github.com/LearnBoost/socket.io/issues/438
Presently seeking to either find a place that's already working with Node, earn a living on my own project based on Node or switch careers. I intend for this to be my last attempt at being able to work my way. It's never going to make sense to others, so I have to make this work.
Sorry if my outburst asked all the hard questions, but reality is: How is this stuff going to get ready if there isn't some pressure to move it in that direction? And, given this is the environment I want to build in, what am I supposed to do? Wait for someone else to kick a tire & light a fire?
No, thanks. Done with that. Don't care if Node's not perfect for what you want to do. It's the right tool for my jobs and the kind of jobs I want to be working on. We're not all docking space shuttles to space stations in real life.
Anyway, I have stopped recommending Node.js. I just personally use it and won't work anywhere that doesn't.
It sounds to me like you are convinced that Node is the one and only way to build the software you work on (I think that's bullshit frankly), and you won't accept any alternatives. Well, you are about to find out the hard way what happens when you aren't willing to work past your own pride.
So yeah.. I was thinking this myself. this type of errors are unacceptable.
It looks like the npm registry used to have a certificate signed by npm's own CA, and existing npm clients only trust that CA by default, not the normal list of verisign, digicert, etc. (Trusting versign et al would defeat the point of using their own CA.) The signing key for that CA is pretty darn important, and maybe there are entities other than npm, inc who might know it (i.e. nodejitsu).
So npm, inc rolled out a new cert that looks to be signed by digicert, but existing clients don't trust Digicert until you explicitly configure them to.
I was thrown off by the SELF_SIGNED_CERT_IN_CHAIN error; I expected some error about an untrusted root CA if the problem was that npm clients didn't trust digicert, but apparently SELF_SIGNED_CERT_IN_CHAIN is what OpenSSL returns when the root CA isn't loaded.
npm CA -> digicert CA -> any other intermediates -> server cert
Edit: It looks like what I'm missing is that you'd need the private key of the digicert CA to generate the request to sign with the npm CA. I was thinking about how CAs have been migrated in the past (e.g. equifax to geotrust global CA). It looks like it won't work in this case.
Edit2: Actually, it appears to work after all. I just tested with the openssl ca command, and you give it -ss_cert instead of -in for the certificate to sign a certificate instead of a request.
A sense of arrogance that precludes understanding x509 infrastructure before you roll out a world-breaking change.
This mistake was, in hindsight, a clear error in judgement. It highlights missing steps in their change deployment process. And I expect them to learn from it, as the larger Node community has shown they can learn from mistakes.
Part of joining the ranks of "enterprise"-grade projects is first being an aspiring project, and part of that is learning a lot. Anyone who expects that to happen without a few bumps is naive.
The chain is accepted by Firefox and Chrome with NSS, but Safari (and Chrome on OSX) gives a self-signed warning message. I asked AGL and he thinks that it should be valid:
So it looks like it should work in theory, but in practice, even if npm had attempted this, it wouldn't work on Mac.
All root CAs are self-signed, that's what makes them root. What overrides the self-signing being an error is it being listed in the CA list available to the client which is updated out of band.
It was surprising that npm status didn't have any sort of warning. I had to find out about this via twitter. I think it's extremely irresponsible and I'm glad we've started to move away from node.js and started to use Java.
That npm as a project thought this was the correct way to handle this kind of transition is very unsettling.
Just because somebody points out serious flaws or problems with one technology does not automatically mean that he or she thinks that other, unrelated-yet-similar technologies aren't flawed or are somehow perfect.
That is what I was responding to directly. The implication from the statement was that npm flaws (i.e certificate changes that break everything) is a good reason to switch to Java.
It isn't at all a good reason to switch to java, as java's equivalent would easily waste more time than even this rather embarrassing certificate problem with npm.
> unrelated-yet-similar technologies
It is related, and similar, it is a like-for-like comparison between nodejs package management and java package management.
Works fine for me. Has a healthy ecosystem of 3rd-party artifact repository implementations.
As someone who has used it daily for the past 5.5 years - not really. That said, I'd prefer something like Gradle, but I can't fault Maven for just working, goddamnit.
I'm not sure you get how threading works, but this thread originated from the above quote. And comparing npm with Maven given the above statement is relevant, given it is the primary "Package management" system for Java, much like npm.
If you had some information about Maven callously performing a user-hostile update, the comparison would be appropriate. As it is you're just relying on "lolz, Java sucks" as a form of argument.
I'm saying Maven isn't better, nor would npm's mistake be a good reason to switch from to Java from Node.
npm didn't perform a user-hostile update, they made a mistake with certificate authorities.
How many 0-days have forced a java upgrade on people... was that a 'user hostile' move by sun/oracle.
I think your line of reasoning is utterly ridiculous, and you are responding to words I didn't say.
"Tell us all about how awesome it is building apps in Java!" sounds like a pretty loaded comment to me though.
That's not at all what he said.
People have (foolishly, in my opinion) chosen to make npm an integral part of their deployment process, which is why this change has broken a lot of people's deployments. They're going against the official npm recommendation , which is to check your dependencies into your source repository and not use npm in deployment scripts. (A good idea with any package manager, imo. )
Not that I'm excusing npm; a change like this seems like something they should have taken more carefully.
 Npm recommends checking product dependencies into your repo: https://npmjs.org/doc/faq.html#Should-I-check-my-node_module...
I assume you're talking about http etc.. These do not depend on npm and have nothing to do with npm.
Edit: I used to email project owners about issues like this, but never seem to get any response, so I stopped. The worst one, in terms of losing $$ was Pandora. I keep trying to sign up for the paid service, but the form to put in your credit card details is served over HTTP. I emailed them several times with no response.
Edit: Oh, plus you can always use a checksum to verify your download packages  :)
Because then you're susceptible to remote MITM? VPNs are useful but do not replace end-to-end encryption.
And you can load the form, which is just an HTML input form with some sensitive data (last 4!), over HTTPS. It sucks that HTTPS is not default though.
Lastly, what you are saying is simply not true.
If you listen on port 80 and respond with a 301 Moved Permanently (pointing to the https:// URL), that can be MITM'd also. Just proxy to the real HTTPS site and rewrite all the links (using absolute protocols) to be HTTP. Or, if users are trained to look for the lock icon, proxy through an HTTPS server under your control with a convincing domain name.
Even if you do block port 80, it requires users be educated to never access the http:// version of the site, because a malicious network operator could just operate a forwarding proxy and rely on users hitting the http:// URL. After all, HTTP is the default protocol used when I type in www.website.url to access HTTP. (aside: Perhaps browsers should attempt HTTPS first and then fall back to HTTP?)
I don't know of any public websites that aren't vulnerable to this. It's currently too user-hostile to require https://, so everyone helpfully redirects.
The only saving grace is that most non-technical users today don't actually use URLs. They access Facebook by typing "facebook" into the Chrome URL bar. That's a secure search, which gives a secure link.
I really don't think an advance notice would have hurt. So much for automation.
(add all the latest drama, and you're basically just asking to be forked..)
Solution 2: is a terrible idea for people who have their own private registries or proxy caches. Also a security issue in general...
This leaves you with needing to upgrade node, which may or may not be possible due to operating system/platform constraints. Luckily we were using this https://launchpad.net/~chris-lea/+archive/node.js/ which makes life on ubuntu ok.
We set up our own proxy cache, at this point im thinking about increasing the cache time to something like 2 weeks.
But it does provide a case study for the rest of us on what or what not to do.
Maybe I'm being hopelessly optimistic by not jumping to the conclusion that they did no validation whatsoever before?
npm config set strict-ssl false
npm update npm -g
npm config set strict-ssl true
I'm sure the likelihood of experiencing a MITM attack here is low, but the security consideration needs to be as widely advertised as the solution.
The change broke bower at on my laptop. The above link fixed it.
I can't figure out from the blog post whether the change was in the npm server or client.
npm --registry http://registry.npmjs.eu/ install blah
I think Rob's comment sums up my feelings. A bit more aggressively, but the same gist.
You can see on the following step which image is being used when deploying an app:
So what I did was change that to an image of my own based on the progrium/buildstep one:
sudo docker run -i -t progrium/buildstep /bin/bash
sudo docker commit <id> myownimage
And to get to the point I have changed the npm install line to run pointing to the http EU repo.
npm install --registry "http://registry.npmjs.eu" --userconfig $build_dir/.npmrc --production 2>&1 | indent
The blog post doesn't mention deleting the config change after updating, which (I'm not an expert) might be important. I think this is a full fix:
D:\repos\js-master\phantomjscloud-backend>npm install npm -g --ca=""
npm http GET https://registry.npmjs.org/npm
npm http 200 https://registry.npmjs.org/npm
npm http GET https://registry.npmjs.org/npm/-/npm-1.4.4.tgz
npm ERR! fetch failed https://registry.npmjs.org/npm/-/npm-1.4.4.tgz
npm ERR! Error: CERT_UNTRUSTED
npm ERR! at SecurePair.<anonymous> (tls.js:1349:32)
npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)
npm ERR! at SecurePair.maybeInitFinished (tls.js:962:10)
npm ERR! at CleartextStream.read [as _read] (tls.js:463:15)
npm ERR! at CleartextStream.Readable.read (_stream_readable.js:320:10)
npm ERR! at EncryptedStream.write [as _write] (tls.js:366:25)
npm ERR! at doWrite (_stream_writable.js:219:10)
npm ERR! at writeOrBuffer (_stream_writable.js:209:5)
npm ERR! at EncryptedStream.Writable.write (_stream_writable.js:180:11)
npm ERR! at write (_stream_readable.js:573:24)
npm ERR! If you need help, you may report this log at:
npm ERR! <http://github.com/isaacs/npm/issues>
npm ERR! or email it to:
npm ERR! <email@example.com>
If anything, roll out a new version and gracefully drop support for other clients.