Collaborate Disseminate
Does the GNU GUIX package manager in require successful cryptographic authentication and integrity validation for all packages?
I know that software downloaded with apt-get packages must be cryptographically verified because the repo’s man… Continue reading Does GUIX provide cryptographic authentication and integrity validation?
I would like to restrict the installation of npm package in some projects of my company to releases that are at least X weeks old.
The reason for that being that given enough time before installing a package version, it is likely that if t… Continue reading Only install packages that are at least X weeks old [migrated]
I use the Windows Package Manager (winget) to automate app installs on Windows, but I’ve got a MacBook Air M3 on the way. And while I knew there were various package managers available for that platform, I wasn’t familiar with any of them and was curio… Continue reading Automate App Install on the Mac with Homebrew (Premium)
Does Node.js’s npm package manager cryptographically validate its payload’s authentication and integrity for all packages after downloading them and before installing them?
I see a lot of guides providing installation instructions with ste… Continue reading Does Node.js’s npm provide cryptographic authentication and integrity validation?
I am specifically looking at the npm package metadata like from the lodash package, the relevant part which is this:
{
"shasum": "392617f69a947e40cec7848d85fcc3dd29d74bc5",
"tarball": "https://registr… Continue reading How is the npm package manager made robust security-wise, what are the keys they are using, and how do they use them?
I am wondering how to distinguish (password) prompts that the OS issued from prompts that are delivered application-side. This question first occurred to me when considering Firefox master passwords, but it just occurred to me that install… Continue reading Distinguish origin of password prompts
Does npm ensure that the packages are not spying on your data, saving it somewhere or is it the responsibility of the developer to ensure it? Can I confidently use the moderately well-known packages without the data being saved and mishand… Continue reading Security and data protection reviews of npm packages
Snap is yet another package manager for Linux that makes it possible to install applications not found in many apt repositories. Find out how to use Snap to keep your software up to date.
The post How to keep Snap packages up to date and take control o… Continue reading How to keep Snap packages up to date and take control of when you run the refresh command
Although the APT package manager is a simple and effective command-line tool for installing, updating, and removing software, it does have its weaknesses. Nala is here to improve on that.
The post Nala is a much cleaner, neater alternative for the APT … Continue reading Nala is a much cleaner, neater alternative for the APT package manager
The risks of supply chain attacks on software libraries is well documented, however, I have not seen much on OS packages/dependencies. How important is it to both 1) pin OS dependencies (apt,rpm,etc.) and 2) host them in private repositori… Continue reading Supply chain risks for OS packages