Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify (and possible mirror) NPM installers #26

Open
siepkes opened this issue Jun 7, 2018 · 3 comments
Open

Verify (and possible mirror) NPM installers #26

siepkes opened this issue Jun 7, 2018 · 3 comments
Milestone
wren:am 13.5 inde...

Comments

@siepkes
Copy link
Member

siepkes commented Jun 7, 2018

As discussed in #24 the openam-ui-ria project pulls in an NPM installer via a Maven plugin. We need a way to verify the NPM installer we downloaded.

This might require adding functionality to the com.github.eirslett:frontend-maven-plugin plugin. NPM provides a list with hashes of the installers (SHASUMS256.txt) and has also signed this list (SHASUMS256.txt.asc).
@siepkes
Copy link
Member Author

siepkes commented Jun 7, 2018

@Kortanul FYI

@siepkes siepkes mentioned this issue Jun 11, 2018
Open
@Kortanul
Copy link
Member

@siepkes got your message about this, but am not sure if I'm the best one to take this on.

@siepkes
Copy link
Member Author

siepkes commented Jun 16, 2018

@Kortanul Didn't mean to imply you should take it on ;-). The FYI was more about this is something that is also of value for IDM and so that you are aware of this "hole" in our verification process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
wren:am 13.5 independent and verifiab...
Development

No branches or pull requests
3 participants
@siepkes @fyrbach @Kortanul