From 788e7ed42854b5c5e19735d1dea276ab118a14c1 Mon Sep 17 00:00:00 2001
From: Vincenzo Ferrari <wilk3ert@gmail.com>
Date: Sat, 14 Jul 2018 00:32:26 +0200
Subject: [PATCH 1/3] First draft of SNPM

---
 accepted/0000-secure-npm.md | 77 +++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 accepted/0000-secure-npm.md

diff --git a/accepted/0000-secure-npm.md b/accepted/0000-secure-npm.md
new file mode 100644
index 0000000..bd2d7bd
--- /dev/null
+++ b/accepted/0000-secure-npm.md
@@ -0,0 +1,77 @@
+- Start Date: 2018-07-14
+- RFC PR:
+- Yarn Issue:
+
+# Summary
+
+NPM Secure prevents to publish open source packages without an integrity check with the source code, especially for those packages that are a result of a build/compilation/transpilation process.
+
+# Motivation
+
+### Why are we doing this?
+To improve NPM safety and security.
+
+### What pain points does this resolve?
+When a new package is being published on the NPM registry no one can say that the code is the same of that published on Github (or on to another public repo).
+
+### What use cases does it support?
+To prevent situations like these:
+
+- https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5
+- https://github.com/eslint/eslint-scope/issues/39
+
+### What is the expected outcome?
+NPM should prevent to publish open source packages without an integrity check with the source code (stored online not on the file system of the author’s computer), especially for those packages that are a result of a build/compilation/transpilation process.
+So, if an author wants to publish a new package that differs from its counterpart published on Github (or on to another public repo), NPM replies with an error.
+
+# Detailed design
+
+I’ve created a Proof of Concept, called SNPM, that instead of allowing the user to push the code directly on NPM, they need to push it on a public repo (like Github) and then ask NPM to fetch it.
+This procedure is validated using checksums of what being uploaded.
+
+Whole and detailed explanation described here: https://hackernoon.com/secure-npm-ca2fe0e9aeff
+
+# How We Teach This
+
+The specs are well detailed in this article: https://hackernoon.com/secure-npm-ca2fe0e9aeff
+Here's a working Proof of Concept: https://github.com/wilk/snpm
+
+It should inpact:
+- the `yarn build` command: it should build what will be published and put the checksum calculated from the build inside the `package.json`
+- the `package.json`: it should contain the `checksums` field, as explained by CommonJS (http://wiki.commonjs.org/wiki/Packages/1.1#Catalog_Properties)
+- the `yarn publish` command: instead of uploading the source code directly on the NPM registry, it should fetch it from Github
+
+# Drawbacks
+
+Why should we *not* do this? Please consider the impact on teaching people to
+use Yarn, on the integration of this feature with other existing and planned
+features, on the impact of churn on existing users.
+
+There are tradeoffs to choosing any path, please attempt to identify them here.
+
+# Alternatives
+
+### 1. unpkg.com
+It inspects the code that’s actually published.
+Unfortunately, this is a post-strategy (a curative one) and NPM should adopt a preemptive one.
+I think this job should be done by NPM during the publishing phase and not then, by the user on a certain version of the package.
+
+### 2. npm integrity
+It should check the integrity between what has been published on the NPM registry and what's published on Github, for instance:
+
+```
+$ npm pack --dry-run --json react | grep integrity
+
+> “integrity”: “sha512-7eocFH2ryezvBVXJbptblDSuLAQa8nOSDdAYtv/CHTG0btXuC1axHhVV6W8KVdWMNq7cF/w9Z/xVuoEK6IzXhQ==”,
+
+$ npm pack --dry-run --json github:facebook/react#semver:16.4.1 | grep integrity
+
+> “integrity”: “sha512-3GEs0giKp6E0Oh/Y9ZC60CmYgUPnp7voH9fbjWsvXtYFb4EWtgQub0ADSq0sJR0BbHc4FThLLtzlcFaFXIorwg==”,
+```
+
+Actually, I didn’t get on what files that checksum has been calculated.
+Anyway, it does not prevent the author to publish malicious code on NPM's registry.
+
+# Unresolved questions
+
+TBD

From 1d9c18768125445d0eb2c80ffd4865248cc88ec0 Mon Sep 17 00:00:00 2001
From: Vincenzo Ferrari <wilk3ert@gmail.com>
Date: Mon, 16 Jul 2018 08:22:20 +0200
Subject: [PATCH 2/3] completed RFC

---
 accepted/0000-secure-npm.md | 21 ++++++++-------------
 1 file changed, 8 insertions(+), 13 deletions(-)

diff --git a/accepted/0000-secure-npm.md b/accepted/0000-secure-npm.md
index bd2d7bd..b6362ce 100644
--- a/accepted/0000-secure-npm.md
+++ b/accepted/0000-secure-npm.md
@@ -9,7 +9,7 @@ NPM Secure prevents to publish open source packages without an integrity check w
 # Motivation
 
 ### Why are we doing this?
-To improve NPM safety and security.
+To improve Yarn safety and security.
 
 ### What pain points does this resolve?
 When a new package is being published on the NPM registry no one can say that the code is the same of that published on Github (or on to another public repo).
@@ -21,12 +21,12 @@ To prevent situations like these:
 - https://github.com/eslint/eslint-scope/issues/39
 
 ### What is the expected outcome?
-NPM should prevent to publish open source packages without an integrity check with the source code (stored online not on the file system of the author’s computer), especially for those packages that are a result of a build/compilation/transpilation process.
-So, if an author wants to publish a new package that differs from its counterpart published on Github (or on to another public repo), NPM replies with an error.
+Yarn should prevent to publish open source packages without an integrity check with the source code (stored online not on the file system of the author’s computer), especially for those packages that are a result of a build/compilation/transpilation process.
+So, if an author wants to publish a new package that differs from its counterpart published on Github (or on to another public repo), Yarn replies with an error.
 
 # Detailed design
 
-I’ve created a Proof of Concept, called SNPM, that instead of allowing the user to push the code directly on NPM, they need to push it on a public repo (like Github) and then ask NPM to fetch it.
+I’ve created a Proof of Concept, called SNPM, that instead of allowing the user to push the code directly on Yarn, they need to push it on a public repo (like Github) and then ask Yarn to fetch it.
 This procedure is validated using checksums of what being uploaded.
 
 Whole and detailed explanation described here: https://hackernoon.com/secure-npm-ca2fe0e9aeff
@@ -39,22 +39,19 @@ Here's a working Proof of Concept: https://github.com/wilk/snpm
 It should inpact:
 - the `yarn build` command: it should build what will be published and put the checksum calculated from the build inside the `package.json`
 - the `package.json`: it should contain the `checksums` field, as explained by CommonJS (http://wiki.commonjs.org/wiki/Packages/1.1#Catalog_Properties)
-- the `yarn publish` command: instead of uploading the source code directly on the NPM registry, it should fetch it from Github
+- the `yarn publish` command: instead of uploading the source code directly on the Yarn registry, it should fetch it from Github
 
 # Drawbacks
 
-Why should we *not* do this? Please consider the impact on teaching people to
-use Yarn, on the integration of this feature with other existing and planned
-features, on the impact of churn on existing users.
-
-There are tradeoffs to choosing any path, please attempt to identify them here.
+This feature requires extra work from Yarn servers in term of CPU and RAM because when a new package is published its build process need to be executed and verified.
+Publishing a package will be slower but safer.
 
 # Alternatives
 
 ### 1. unpkg.com
 It inspects the code that’s actually published.
 Unfortunately, this is a post-strategy (a curative one) and NPM should adopt a preemptive one.
-I think this job should be done by NPM during the publishing phase and not then, by the user on a certain version of the package.
+I think this job should be done by Yarn during the publishing phase and not then, by the user on a certain version of the package.
 
 ### 2. npm integrity
 It should check the integrity between what has been published on the NPM registry and what's published on Github, for instance:
@@ -73,5 +70,3 @@ Actually, I didn’t get on what files that checksum has been calculated.
 Anyway, it does not prevent the author to publish malicious code on NPM's registry.
 
 # Unresolved questions
-
-TBD

From 604cc9c5574af3ff5e5ca848465859b96c5e9192 Mon Sep 17 00:00:00 2001
From: Vincenzo Ferrari <wilk3ert@gmail.com>
Date: Mon, 16 Jul 2018 08:50:10 +0200
Subject: [PATCH 3/3] Add Cargo ref

---
 accepted/0000-secure-npm.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/accepted/0000-secure-npm.md b/accepted/0000-secure-npm.md
index b6362ce..5248078 100644
--- a/accepted/0000-secure-npm.md
+++ b/accepted/0000-secure-npm.md
@@ -70,3 +70,6 @@ Actually, I didn’t get on what files that checksum has been calculated.
 Anyway, it does not prevent the author to publish malicious code on NPM's registry.
 
 # Unresolved questions
+
+# Prior Art:
+Cargo does something like SNPM: https://doc.rust-lang.org/cargo/reference/publishing.html#github-permissions