1 Topic by koszko

  • koszko
  • Guest

Topic: nodejs discussion

Since Node.js removal is on the TODO list and it's quite a big move, I thought it would be good to start a topic like this.

Node.js is a javascript runtime based on Google's javascript engine also used in it's browsers. Node is designed to allow server-side development and creation of command line tools in javascript. Some like the idea, some hate it... Nevertheless, some projects are written in/use it, hence the broken packages listed in the TODO task.

There seem to be 2 problems with node:

André Silva wrote:

As Node.js has history of malware in hosted packages and doesn't support LibreSSL, we have decided to blacklist it.

When I saw that I thought what a possible replacement for node would be, I even asked that on the forums. Unfortunately, while some other (non Google ^^) js engines exist, a Node.js API implementation would also be needed if one of them was to work as a replacement. As I have found, this has been tried with Mozilla's SpiderMonkey js engine but the project has been abandoned before being completed. ☹ Likewise, I don't seem to be able to find any good Node.js reimplementation.

Having that said, the "malware in packages" problem affects node's package manager, npm, rather than node itself. Language-specific package managers are a terrible thing IMO, freedom issues being one of the big problems about them. Here's an interesting rant about package managers I stumbled upon once (apparently written by a portage fan; shall it not make You think pacman is bad ☺).
My conclusion is that regardless of what node implementation would be used, either desired node programs would have to be packaged for pacman or a new, libre npm repository would need to be created for use by Hyperbola's npm.

As to lack of LibreSSL support, I can't seem to find ANYTHING about attempts of building node against this TLS provider. Not even failure reports. ☹ BSDs (including OpenBSD) use node with OpenSSL. Node itself has a bundled version of it (but it also supports building against system's OpenSSL). Perhaps Emulatorman, who I believe does LibreSSL migration, knows more or has actually attempted a build and could shed some light on this? ☺ Or maybe with some extra effort a port to LibreSSL would be possible?
From NetBSD's port of node (README.md and BUILDING.md in node's git branch are a bit cryptic to me) it seems that OpenSSL support is optional. I guess https calls won't work without it. But that's still better than nothing, right?

One more thing is unclear to me - what do '[ ]', '[*]', and '[#]' next to affected packages mean in the TODO task?

And the most important - what are YOUR thoughts and ideas?

2 Reply by zapper

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,054

Re: nodejs discussion

"and it's quite a big move, I thought it would be good to start a topic like this.

Node.js is a javascript runtime based on Google's javascript engine also used in it's browsers. Node is designed to allow server-side development and creation of command line tools in javascript. Some like the idea, some hate it... Nevertheless, some projects are written in/use it, hence the broken packages listed in the TODO task.

There seem to be 2 problems with node:

André Silva wrote:

As Node.js has history of malware in hosted packages and doesn't support LibreSSL, we have decided to blacklist it.

When I saw that I thought what a possible replacement for node would be, I even asked that on the forums. Unfortunately, while some other (non Google ^^) js engines exist, a Node.js API implementation would also be needed if one of them was to work as a replacement. As I have found, this has been tried with Mozilla's SpiderMonkey js engine but the project has been abandoned before being completed. ☹ Likewise, I don't seem to be able to find any good Node.js reimplementation.

Having that said, the "malware in packages" problem affects node's package manager, npm, rather than node itself. Language-specific package managers are a terrible thing IMO, freedom issues being one of the big problems about them. Here's an interesting rant about package managers I stumbled upon once (apparently written by a portage fan; shall it not make You think pacman is bad ☺).
My conclusion is that regardless of what node implementation would be used, either desired node programs would have to be packaged for pacman or a new, libre npm repository would need to be created for use by Hyperbola's npm.

As to lack of LibreSSL support, I can't seem to find ANYTHING about attempts of building node against this TLS provider. Not even failure reports. ☹ BSDs (including OpenBSD) use node with OpenSSL. Node itself has a bundled version of it (but it also supports building against system's OpenSSL). Perhaps Emulatorman, who I believe does LibreSSL migration, knows more or has actually attempted a build and could shed some light on this? ☺ Or maybe with some extra effort a port to LibreSSL would be possible?
From NetBSD's port of node (README.md and BUILDING.md in node's git branch are a bit cryptic to me) it seems that OpenSSL support is optional. I guess https calls won't work without it. But that's still better than nothing, right?"


I am curious now too about what the reason is too...

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!

3 Reply by g4jc

  • g4jc
  • Member
  • Offline
  • Registered: 2017-09-10
  • Posts: 44

Re: nodejs discussion

LibreSSL support was requested in upstream NodeJS, and someone even forked it with the intent to merge. However, the NodeJS team rejected it and closed the bug ticket as WONTFIX. You can see the bug report here: https://github.com/nodejs/node/issues/428

As we are moving towards LibreSSL by default, it will not be possible to support NodeJS with OpenSSL. Someone who wishes to have this included may want to maintain a fork and request the package for re-inclusion at a later date.

I would note, that if NodeJS is decided for re-inclusion with LibreSSL there is still an issue with the entire concept.
It seems to encourage users to use third-party libraries and write "web apps" using a centralized repository via npm.

Whereas there are many issues with various package managers, not all of them have had such a vibrant history of shipping trojans to their users.
They do not adhere to very good security practices, and it has resulted in putting users at risk. Due to our social contract, we currently believe NodeJS to be broken “by design”.

Lastly, we also do not support Electron (which is a Chromium wrapper), making the majority of these "apps" useless.

For those reasons, it was decided to remove it.

4 Reply by zapper (edited by zapper 2019-07-07 05:18:00)

  • zapper
  • zapper
  • Hyper Cyber
  • Offline
  • Registered: 2017-10-18
  • Posts: 1,054

Re: nodejs discussion

g4jc wrote:

LibreSSL support was requested in upstream NodeJS, and someone even forked it with the intent to merge. However, the NodeJS team rejected it and closed the bug ticket as WONTFIX. You can see the bug report here: https://github.com/nodejs/node/issues/428

As we are moving towards LibreSSL by default, it will not be possible to support NodeJS with OpenSSL. Someone who wishes to have this included may want to maintain a fork and request the package for re-inclusion at a later date.

I would note, that if NodeJS is decided for re-inclusion with LibreSSL there is still an issue with the entire concept.
It seems to encourage users to use third-party libraries and write "web apps" using a centralized repository via npm.

Whereas there are many issues with various package managers, not all of them have had such a vibrant history of shipping trojans to their users.
They do not adhere to very good security practices, and it has resulted in putting users at risk. Due to our social contract, we currently believe NodeJS to be broken “by design”.

Lastly, we also do not support Electron (which is a Chromium wrapper), making the majority of these "apps" useless.

For those reasons, it was decided to remove it.

Actually...

https://github.com/nodejs/node/pull/9376

If you read enough of this reply/thread, the node.js team seems to have thought it might be worth trying, but due to inactivity it was closed. But yeah... your other points were well taken.

Aka, adding support for LibreSSL as well as OpenSSL.  But nonetheless, it didn't happen because people gave up.

HyperbolaBSD: The Future of Secure Libre Lightweight Operating Systems!