Question: @gyzerok yeah I thought that native modules might be an issue. But very few native modules are let into the elm package list right?

Asked By
mcoquand
Asked At
2018-02-05 20:15:11

Found 15 possible answers.

User Answered At Possible Answer
gyzerok 2018-02-05 20:15:47 Yeah, this is right. My point is not about them. I believe that stuff from elm-lang is safe. At least this is my understanding. Not sure if it is 100% correct. Or not actually their code but repository elm-package installs from. I actual code of packages is protected by github HTTPS. What is not safe - their JS code could be changed on the fly.
ilias 2018-02-05 20:18:34 Code of packages is indeed downloaded from github (over https). There are some things planned to also add checksums, iirc
mcoquand 2018-02-05 20:19:48 Then the things to look out for are native modules and packages with Cmd msg then? I guess this is another huge plus for Elm
gyzerok 2018-02-05 20:19:50 Yeah, then code part is could. It’s just that somebody down the network can make you believe that you install from github.com/elm-lang/http while in fact you are installing form tortuga.com/i-will-still/all-your-data
ilias 2018-02-05 20:21:03 Yeah, that's what the checksums should help with. It's certainly a _lot_ harder to make this happen in Elm than it is in the npm ecosystem, though :slightly_smiling_face:
gyzerok 2018-02-05 20:22:02 But where checksums are coming from? Are they still coming from package website? Cuz in this case attack will be still valid cuz it based on package website traffic being unencrypted
ilias 2018-02-05 20:23:01 Yeah, I mean, combined with the tls changes
gyzerok 2018-02-05 20:23:19 Ah, ok, I’ve missed that :0
adrianb 2018-02-05 20:25:04 Hi all. Does anybody have a sense of how quickly Elm projects should compile? I have about 6500 lines of Elm in 34 files and a complete rebuild takes about 10 minutes on one 3GHz core. Is that abnormally slow?
ilias 2018-02-05 20:25:54 https://gist.github.com/zwilias/7ed394ec0e9c6035e1874d19b721e294 may help
adrianb 2018-02-05 20:51:43 Thanks @ilias... I guess I'll wait for 0.19 to see how the new exhaustiveness checker helps.
juannerito 2018-02-05 20:54:11 @adrianb , that feels slow, I have ~10,000 LOC, in 68 modules, with 304 imports and it compiles in ~20 sec on a 2016 MBP. I’m also looking at ways to speed my compilation up, as the 20 second compilation time is a real productivity killer @ilias , thanks for posting that gist. FWIW, I’m using https://github.com/stil4m/elm-analyse to get these numbers. It’s a great tool for analyzing and linting your code
huscar 2018-02-05 21:07:27 @mcoquand Also view function, AFAIK there is the possibility of injecting javascript there.
jessta 2018-02-05 21:31:49 Yeah, you can create script tags and put whatever you want in that, also "javascript:" in link href.
huscar 2018-02-05 21:37:39 Would it be a good idea to check packages for such nodes and post a warning on the website? Might discourage people from using legitimate packages but on the other hand it would increase user-awareness of the potential risk.

Related Questions