Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall (bleepingcomputer.com)

Posted by msmash on from the beware dept.

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. -- the buggy npm update. Users who installed this update -- mostly developers and software engineers -- will likely have to reinstall their system from scratch or restore from a previous system image.

4 of 256 comments (clear)

  1. Rescue mode by Camel+Pilot · · Score: 4, Informative

    If it is a file permission issue... boot from install disk into rescue mode... chmod and reboot. I don't get it.

    1. Re:Rescue mode by RightwingNutjob · · Score: 4, Informative

      Maybe. But the point is it's not acceptable to fuck up users' machines and make them go through all that work to fix it.

      More precisely, I don't know exactly what should be readable by all vs readable by certain groups vs readable by root only in /usr and especially in /etc. I could very well leave my machine's private keys readable by all by mistake. That's a lot of work to track down. So I'd need to reinstall to ensure that it's all correct and I'm not leaving any holes.

      I say again: It's not acceptable to make your users go through that work. And I also say again: automatically and implicitly trusting package maintainers to do the right thing is awful security policy and awful from a reliability standpoint. All updates should be tested before they are deployed. For home users this isn't practical and we have to rely on the distros to do this for us. Trust breaks down severely when fuckups like this go through and it lends credence to people who don't update their software automatically on the grounds mentioned above. This is bad when actual security fixes need to be deployed out, and it's all the more crucial for ALL software maintainers in OSS to make sure their shit works. Trust is the currency of OSS, and unlike dollars, you can't get some more by going to the bank, you have to earn it.

  2. Re:I remain of the opinion... by BlueLightning · · Score: 5, Informative

    I'd recommend watching this talk:

        https://www.youtube.com/watch?...

    or if you prefer, the excellent-as-usual LWN summary:

        https://lwn.net/Articles/71231...

    I don't like the language-specific package manager situation either, but the way these languages split things up does not lend itself well to the distro packaging model either unfortunately.

  3. Always requiring the latest version of everything by jrumney · · Score: 3, Informative

    This is why I always reject anything that has requirements that I install the latest version of everything and use a language specific package manager to manage dependencies. Javascript packages seem the worst for the "bleeding edge" requirement, but Java, PHP, Python, Ruby and even Perl have long had issues with requiring the language specific package manager to be used.

    If my distro maintainers have not packaged it and tested to the level that the rest of the OS gets tested, then it has no place on my server.