Hacker Newsnew | comments | show | ask | jobs | submit | emily37's comments login

If anyone is wondering what the actual change was:

It looks like the npm registry used to have a certificate signed by npm's own CA, and existing npm clients only trust that CA by default, not the normal list of verisign, digicert, etc. (Trusting versign et al would defeat the point of using their own CA.) The signing key for that CA is pretty darn important, and maybe there are entities other than npm, inc who might know it (i.e. nodejitsu).

So npm, inc rolled out a new cert that looks to be signed by digicert, but existing clients don't trust Digicert until you explicitly configure them to.

I was thrown off by the SELF_SIGNED_CERT_IN_CHAIN error; I expected some error about an untrusted root CA if the problem was that npm clients didn't trust digicert, but apparently SELF_SIGNED_CERT_IN_CHAIN is what OpenSSL returns when the root CA isn't loaded.

-----


If the clients trust the npm CA, can't they just sign the digicert CA with that CA and include it in the certificate chain provided by the server? That way the chain would be:

    npm CA -> digicert CA -> any other intermediates -> server cert
Clients that only trust the digicert CA (and other standard CAs) will see that and accept it because they trust the digicert CA, and clients that trust the npm CA will trust the cert also, allowing both old and new clients to work. Once (almost) everyone has upgraded, the npm root CA can be removed from the chain presented by the server. Am I missing something here?

Edit: It looks like what I'm missing is that you'd need the private key of the digicert CA to generate the request to sign with the npm CA. I was thinking about how CAs have been migrated in the past (e.g. equifax to geotrust global CA). It looks like it won't work in this case.

Edit2: Actually, it appears to work after all. I just tested with the openssl ca command, and you give it -ss_cert instead of -in for the certificate to sign a certificate instead of a request.

-----


That kind of chain doesn't seem to be ubiquitously accepted. I built up something similar at https://ssltest.greenapes.com:4443. There is a self-signed CA signing a trusted CA (StartCom), which in turn is signing a valid certificate for the hostname.

The chain is accepted by Firefox and Chrome with NSS, but Safari (and Chrome on OSX) gives a self-signed warning message. I asked AGL and he thinks that it should be valid: https://twitter.com/giovannibajo/status/439746540249567232

So it looks like it should work in theory, but in practice, even if npm had attempted this, it wouldn't work on Mac.

-----


> Am I missing something here?

A sense of arrogance that precludes understanding x509 infrastructure before you roll out a world-breaking change.

-----


Lets apply a bit of sense here: this was a failure of judgement, not arrogance. It's perhaps easier to picture the npm developers as maniacal villains, cackling as they wield destruction among us. But that's not the case with them, just as it is pretty much never the case with project developers.

-----


I just picture them as cowboy coders not really aware of what it takes to build and maintain software for large enterprises, which is, unfortunately, their stated mission.

-----


Let any developer who has never pushed an update with unintended side effects raise their hand.

This mistake was, in hindsight, a clear error in judgement. It highlights missing steps in their change deployment process. And I expect them to learn from it, as the larger Node community has shown they can learn from mistakes.

Part of joining the ranks of "enterprise"-grade projects is first being an aspiring project, and part of that is learning a lot. Anyone who expects that to happen without a few bumps is naive.

-----


I agree with you. Everyone makes a mistake once in a while. To be successful, you should learn from it.

-----


I don't think people think they're arrogant. I think people find them unsuited to the task at hand. If you felt that way already, this incident would have been another nail in the coffin.

-----


Indeed! Don't forget kids, don't ever do anything if you're not already an expert.

-----


Yes, that sounds about right. Spend the time necessary to understand before you inflict your lack of understanding on the world.

-----


I was thrown off by the SELF_SIGNED_CERT_IN_CHAIN error; I expected some error about an untrusted root CA if the problem was that npm clients didn't trust digicert, but apparently SELF_SIGNED_CERT_IN_CHAIN is what OpenSSL returns when the root CA isn't loaded.

All root CAs are self-signed, that's what makes them root. What overrides the self-signing being an error is it being listed in the CA list available to the client which is updated out of band.

-----


Core dev here -- I've been doing some work here and there on framework security and I'd love to talk about the security problems you're running into, if you wouldn't mind shooting me an email sometime.

-----


This main point is ridiculous. Our response to deaths should scale exactly proportionately to the number? I shouldn't let the death of a friend upset me disproportionately more than the death of a stranger?

A reasonable statement would have been, "Let's not let these deaths be cited as an excuse for tyranny." But what he said was more along the lines of, "Let's not be very upset about these deaths, because then they will be used as an excuse for tyranny." Why should we let the government's supposed tendency towards tyranny influence our emotional reactions to the deaths of friends and colleagues? Instead, let's react however is natural to these deaths, and at the same time ensure that we don't stand for fear-mongering and security theater.

-----


Well, that's a different issue than what Bain was attempting to argue, but I'll indulge. You said,

"Our response to deaths should scale exactly proportionally to the number? I shouldn't let the death of a friend upset me disproportionally more than the death of a stranger?"

You're misrepresenting what he said. He never compared the death of a stranger to the death of a loved one. What he said is that it's silly to raise the tragedy the those who lost their lives in Boston to those who lost their lives in Texas this week. All premature death is a tragedy, but I didn't know anyone personally in Boston or Texas. So why should the deaths of those in Boston be more prolific to me than those that died in Texas?

You said,

"But what he said was more along the lines of, 'Let's not be very upset about these deaths, because then they will be used as an excuse for tyranny.'"

What he actually said was,

"Every death or injury is a sad thing, but the fact is that many happen every day, and we should not let these few upset us disproportionally more than the others. Let's make an effort not to get bent out of shape about them, so that we can resist when people try to cite them as an excuse for tyranny."

You can't change the words he used to misrepresent his argument because you didn't appreciate his bluntness. I'll admit, RMS is a very emotionally detached person, but that doesn't allow the opportunity to bend his words so that it makes it easier for you to shame him.

-----


Every death or injury is a sad thing, but the fact is that many happen every day, and we should not let these few upset us disproportionally more than the others.

I disagree with you, but I think you're being thoughtful about it.

This is the problem I have with RMS.

Some deaths are more meaningful. Some events are more important.

If a man has a gun pointed at your face, do you ignore it because your singular death won't reach the number of yearly deaths for cancer or car accidents? By RMSs absurdly detached logic, you ignore the gun in your face.

Intention is everything in this issue. A pair of men running around blowing up people and emptying entire magazines in busy neighborhoods trying to murder their pursuers is so qualitatively different from any other quantitatively comparable event where people are killed and hurt without similar intention as to be virtually incomparable. RMS is admonishing us for not comparing the raw body counts.

He would have us walk ignore the gunman with the gun to our head while wearing a hazmat suit and SPF90 sunblock because quantitatively the flu and cancer result in a higher body count than just little old me and I shouldn't be so selfish and not walk around with those protections or I might add to the tally for those kinds of deaths.

Once you start just adding up bodies and comparing the tallies, you've lost the narrative.

-----


So why should the deaths of those in Boston be more prolific to me than those that died in Texas?

I don't think prolific is the word you mean, but I'll assume you meant "meaningful" or "emotional." No one is telling you how much you should care about Boston versus Texas. The point is that for those of us who are personally affected by the Boston incident, we resent being told that we should care more about the Texas incident, because it is natural that we would be more upset about the incident that personally affected us.

You can't change the words he used to misrepresent his argument because you didn't appreciate his bluntness.

The change of wording wasn't relevant to my point, I was simply trying to summarize his view. Insert "let's make an effort not to get... as an excuse for tyranny" (his actual quote) for the paraphrased quote that I used, and the point still stands: the government's supposed tendency towards tyranny should cause us to resist tyranny, not to temper our emotional reactions to the deaths of community members.

-----


The point is that for those of us who are personally affected by the Boston incident, we resent being told that we should care more about the Texas incident, because it is natural that we would be more upset about the incident that personally affected us.

Look, if you know someone that was killed or injured, then it obviously affects you more personally than it would other people, and there's nothing in RMS's statement that says otherwise. And if you were effected, you obviously weren't the intended audience (he was replying to a message to stay inside during Boston's pseudo-curfew). However, if your only connection to the event is your geographical proximity, then that does not grant you some sort of higher-level of emotional standing that the rest of us could not make. Every death of an innocent person is a sad, tragic thing; we don't need to be in Boston to understand that.

"The change of wording wasn't relevant to my point, I was simply trying to summarize his view. Insert "let's make an effort not to get... as an excuse for tyranny" (his actual quote) for the paraphrased quote that I used, and the point still stands: the government's supposed tendency towards tyranny should cause us to resist tyranny, not to temper our emotional reactions to the deaths of community members."

No, you're still taking what he said out of context. And your summarization of this comments is not correct. He did not say "temper", that's your word. He said "[...]let these few upset us disproportionally more than the others." Keyword is 'disproportionally'.

I'm, statistically speaking, more likely to die in a car accident than a terrorist attack. I could die in a car accident tomorrow. My family would be very sad and traumatized. However, I doubt they would stop using cars to get around. In fact, I'd bet they would take a car to the hospital to come get my body. With the Boston attack though, the authorities said everyone should stay inside in the entire city, because of the violence that happened in a few public places. That's the disproportionality that RMS was trying to point out in his statement.

In that you took that he was said you should 'temper' your emotions is no fault of Stallman. You're attempting to parse out an argument that just isn't there.

-----


I really don't see what this has to do with the Boston bombing or people's reactions to the events of today. I took a different argument to the Holocaust extreme in another comment and it applies just as well here: why should we be "bent out of shape" today about plant safety when genocide kills millions times more people?

-----


I heard/read that for homes with inhabitants present, the inhabitants were asked if they would like their homes searched.

I'm not sure if they searched empty homes, but if they did, then they probably believed it to be exigent circumstances.

-----


I thought it was really odd that they told people they could go about their business after completing the Watertown search without finding him. It seemed to me at that point the probability of us being injured had just gone up. However, lifting the stay-indoors request turned out to be crucial, because a man spotted the blood on the boat only after going outside for the first time all day.

On the other hand, if they had simply expanded the search area block by block without lifting the stay-indoors request, then they probably would have found him quickly with less risk to Watertown residents. In any case, I agree that it's important for the governments involved to evaluate what could have been done better.

-----


I thought it was really odd that they told people they could go about their business after completing the Watertown search without finding him.

You find it really odd we don't live in a police state?

-----


I think you're misinterpreting my comment. I found it odd that we were advised to stay indoors all day and then told that we no longer needed to stay indoors at the exact point at which danger seemed to be more likely. My comment wasn't saying anything about my opinion as to whether or not the stay-indoors request was reasonable.

But I think it's also worth noting that the stay-indoors request was a request, as far as I know. Every notification that I received was something along the lines of people being asked to stay indoors with the doors locked, and I know people who chose to go outdoors before the request was lifted. The city shut down because people chose to honor the request out of confidence in the judgement and good intentions of the police. I personally chose to stay indoors because I thought the suspect was probably wandering around on foot in the Watertown/Cambridge area and I thought the inconvenience of staying inside for a day outweighed the risk of running into him.

-----


The suspect hiding in the boat was found directly because the police finally told people to go about their business.

Alternatively, if they had lifted the shelter-in-place order earlier, the guy would have gone out in his yard and noticed something going on in his boat sooner.

-----


> On the other hand, if they had simply expanded the search area block by block without lifting the stay-indoors request, then they probably would have found him quickly with less risk to Watertown residents.

On the other other hand, it was getting dark -- the stay-indoors request was lifted an hour from sunset -- and it would have been harder to see the blood without daylight. So maybe they lifted it just in time, or should have lifted it much earlier?

-----


> However, lifting the stay-indoors request turned out to be crucial, because a man spotted the blood on the boat only after going outside for the first time all day.

And I think that was why they might have decided to allow it. Most people would NOT have felt comfortable going outside until he was caught and by letting people go out they had more eyes and a better chance of spotting him. It worked, and quickly.

-----


Not to mention inconsistent with his own reactions. I don't think rms spent all day today mourning the Holocaust or the fallen soldiers of the Civil War.

-----


The feed is no longer working for me, maybe too much traffic? Does anyone know of a live transcript?

-----


http://tunein.com/radio/Boston-Police-Fire-and-EMS-Scanner-s...

-----


http://webchat.freenode.net/ ##bostonscanner

-----


It sounds like the suspect fled in an unknown direction.

-----


"There was a shooting at 32 Vassar St... No suspect description... No direction of flight..." MIT officer was shot and weapon stolen, I think they said the weapon was recovered. Officer is at MGH. Witness in lobby of Stata saw man in cowboy hat.

(All that on the police scanner in the last minute or so)

-----


Live stream of police scanner: http://www.broadcastify.com/listen/feed/6254/web

-----


Thanks for this.

Kinda feels weird sitting in Jamaica listening to the police scanner around MIT.

Kinda awesome too - I know the tech is simple...but actually experiencing it, gives you this "world is small" feeling.

-----


I would dearly love to be able to listen to the Jamaican police scanner!

-----


Hrmmm....now that I think about it...so would I!

I wonder how that could be arranged.

-----


Im sitting on the couch in Auckland, New Zealand feeling the same.

-----


I'm hearing it was armed robbery with life threatening injuries to the MIT police officer: http://www.wcvb.com/MIT-campus-police-officer-shot/-/9849586... https://www.facebook.com/permalink.php?story_fbid=1015157344...

-----


On MBTA police scanner I hear hipsanic, possibly wearing a cowboy hat, with blood on him

-----

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: