This is a good post-mortem with clear, policy-based remediations. Nicely done.
I wonder why they are only preventing republishing for 24 hours. Is there a good reason to allow a package namespace to be recycled with less than, say, a week? Is it based on the assumption that the only case where it comes up is during an incident, and 24 hours is enough time to assume an incident will be resolved? I'm curious what went in to that number.
So, a spammer uploaded something containing copied data from a legitimate user and npm deleted everything from that user. Oy.
Seems like npm might want to review the policy that allows stuff like that to happen.
Even if a user violates the spam policy (which, to be clear, it seems the affected user in this case did NOT do), that hardly seems to be appropriate grounds for deleting everything the user has ever published on npm.
That is a policy that is just begging for griefing.
> A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them [...]
Our first action, which began immediately after the incident concluded, was to implement a 24-hour cooldown on republication of any deleted package name.
> Our first action, which began immediately after the incident concluded, was to implement a 24-hour cooldown on republication of any deleted package name
I don't understand this. Why hard delete packages at all? Soft deleting feels like it would be easier and would stop people republishing with the same name.
They could also bake their warning process for dependent libraries (i.e. "this package is gone!") into the soft delete process.
> At the time of Saturday’s incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam.
I see this acknowledgement, but I cannot find where they will remedy this by putting placeholders in place of spam removals. As a concession, maybe only placeholders for spam removals of packages that are older than X days or depended on (explicitly or transitively) by X packages. Did I miss where the remedy for this spam-removed-package-reuse was in the blog post?
They have added a 24hour re-publishing cooldown for all package removals regardless of reason. Exceptions are made for the original publisher and npm staff.
Explained somewhere near the bottom of the post, basic rational is that it gives them time to notice fuckups and fix them.
[+] [-] bhuga|8 years ago|reply
I wonder why they are only preventing republishing for 24 hours. Is there a good reason to allow a package namespace to be recycled with less than, say, a week? Is it based on the assumption that the only case where it comes up is during an incident, and 24 hours is enough time to assume an incident will be resolved? I'm curious what went in to that number.
[+] [-] smt88|8 years ago|reply
If npm packages used a Github-style "author/package" format, name collision would never be an issue again.
[+] [-] detaro|8 years ago|reply
[+] [-] josephorjoe|8 years ago|reply
Seems like npm might want to review the policy that allows stuff like that to happen.
Even if a user violates the spam policy (which, to be clear, it seems the affected user in this case did NOT do), that hardly seems to be appropriate grounds for deleting everything the user has ever published on npm.
That is a policy that is just begging for griefing.
[+] [-] detaro|8 years ago|reply
That's one of the things the post mentions as what they are doing.
[+] [-] DanBC|8 years ago|reply
https://en.wikipedia.org/wiki/Joe_job
> A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them [...]
[+] [-] cwmma|8 years ago|reply
[+] [-] cremp|8 years ago|reply
Uh... Add in the fact that staff are now trigger happy, since a single button can do a lot of damage.
[+] [-] dumbmatter|8 years ago|reply
Why not infinity hours? I don't get it.
[+] [-] Vinnl|8 years ago|reply
[+] [-] kylemuir|8 years ago|reply
I don't understand this. Why hard delete packages at all? Soft deleting feels like it would be easier and would stop people republishing with the same name.
They could also bake their warning process for dependent libraries (i.e. "this package is gone!") into the soft delete process.
[+] [-] carsonreinke|8 years ago|reply
[+] [-] carsonreinke|8 years ago|reply
[+] [-] kodablah|8 years ago|reply
I see this acknowledgement, but I cannot find where they will remedy this by putting placeholders in place of spam removals. As a concession, maybe only placeholders for spam removals of packages that are older than X days or depended on (explicitly or transitively) by X packages. Did I miss where the remedy for this spam-removed-package-reuse was in the blog post?
[+] [-] avianlyric|8 years ago|reply
Explained somewhere near the bottom of the post, basic rational is that it gives them time to notice fuckups and fix them.