Our plan for a more secure npm supply chain
Addressing a surge in package registry attacks, GitHub is strengthening npm’s security with stricter authentication, granular tokens, and enhanced trusted publishing to restore trust in the open source ecosystem.

The post Our plan for a more secure npm supply chain appeared first on The GitHub Blog. ⌘ Read more

The Windows Registry Adventure #7: Attack surface analysis
Comments ⌘ Read more

@anth@a.9srv.net happy birthday, “youngster!”

Domain Name: NETBROS.COM
Registry Domain ID: 1193243_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: https://www.cloudflare.com
Updated Date: 2025-03-29T04:08:33Z
Creation Date: 1998-04-29T04:00:00Z

My Hypothesis for why registries didn’t work and why they still won’t really work today is because the bend the rules of “true” decentralization a bit. Users have to pick one or more registries to “register” to. Why would they want to do this? What is their incentive to do so? Then on the other hand, users need a client that has registry support, but now which registry or sets of registries do you choose?

@prologic@twtxt.net yes.. But have I? And all the other pods and registries?

yep, it looks nice! How could add my URL?
Is it following the same endpoints than https://registry.twtxt.org/swagger-ui/#/users/addUser ?

BTW, I think that the usage section has a wrong base URL or something.

For example if you enter here: https://watcher.sour.is/conv/4rx5iyq
It says to look for this URL: https://watcher.sour.is/conv/4rx5iyq/api/plain/users

Which seems to return the content from https://watcher.sour.is

Hi, So i made a little MVP registry crawler tool for twtxt. It now has a basic UI to play with. It has a somewhat full history back to about 2018-ish. Plus some interesting bits that were timestamped to earlier.

Find it here: https://watcher.sour.is

Code base is found here: https://git.sour.is/sour-is/xt

Registry format is its own thing. It takes the regular feed and appends nick \t uri \t to it. Its something that existed before yarn got big. There is still a bit of work but I will put together a ui for it to make it easier to view and navigate.

thanks for sharing @xuu@txt.sour.is!

Checking for example https://watcher.sour.is/api/plain/twt or https://registry.twtxt.org/api/plain/tweets, I don’t know whether this syntax is being used by clients or by people. Is it integrated on Yarn in any way? Genuinely asking to know more about it.

If I might throw a quick thought to those working on the registries, it would be nice to have an endpoint with a valid twtxt output (perhaps cached or dumped to a static file) which a client could point to, helping to discover it’s content in a way which is compatible with the twtxt spec.

Taking the first twt I found in https://watcher.sour.is/api/plain/twt as an example:
reddit_world_news https://feeds.twtxt.net/Reddit_World_News/twtxt.txt 2025-03-28T00:29:25Z **China bans US logs. 3 billion dollar[...])
it would be something like
TIME <@NICK URL> TWT
2025-03-28T00:29:25Z <@reddit_world_news https://feeds.twtxt.net/Reddit_World_News/twtxt.txt> **China bans US logs. 3 billion dollar[...])

That way you could watch the latest twts with your client, something similar to what we find on Mastodon: https://mastodon.online/public/local

Some support from the clients to separate these ‘discovery’ content, from your following timeline might be required. 🤔

@eapl.me@eapl.me I am currently working on Implementing a registry that is also a crawler. It finds any feeds that are mentioned or in the follows header.

https://watcher.sour.is/api/plain/twt

https://watcher.sour.is/api/plain/users

I think @prologic@twtxt.net is also working on one.

somehow I forgot that existed.

Perhaps it was its mention of being a demo implementation here:
https://twtxt.readthedocs.io/en/latest/user/registry.html#registry
So I though it wasn’t really active.

Anyway, I think that’s a good idea.

Is there something similar available on Yarn? Sorry for for asking if that was mentioned recently.

I think that the clients may help you to submit your URL to these directories, and also to get a view of the twts in them.

@eapl.me@eapl.me this “directory” is actually named registry. You can see users at https://registry.twtxt.org/api/plain/users and his twts at https://registry.twtxt.org/api/plain/tweets

Hmm so looking at the swagger of the registry spec client it seems to just take a “page”.. That seems worse than doing an offset. Lol.

https://github.com/DracoBlue/twtxt-registry/blob/master/src/swagger.json

I’m not much a fan of registry limit/offset paging. I think I prefer the cursor/count method. And starting at zero for first and max for latest.

I need to import my yarn cache. It’s sitting at about 1.5G in registry format. That should make things interesting…

I’d like to know more about what andros and prologic are talking about, I feel lost.

“This will be managed by Registries.” Are we talking about these registries?
https://twtxt.readthedocs.io/en/latest/user/registry.html

@prologic@twtxt.net yes! Of course. However give me some time, I want to define a small proposal for the Registry (v2?)

pls elaborate on a ‘p2p database’, ‘all story’ and ‘Registries’.

My first thought takes me to something like secure-scuttlebutt which it’s painful to sync data using clients, and too slow compared to downloading a text file.

Also I’d like for twtxt to avoid becoming an ActivityPub. Works well but it’s uses too many resources IMO.
https://kingant.net/2025/02/mastodon-the-cost-of-running-my-own-server/

I’m defending being able to self-host your Web client (like you’d do with a Wordpress, twtxt is a micrologging, at the end), instead of federated instances, so in a first thought I’d say Registries have many disadvantages being the first one that someone has to maintain them active.

What does the #twtxt community think about having a p2p database to store all history? This will be managed by Registries.

Why not just use registry? It can be personal or hosted by someone like registry.twtxt.org. Just need to be adapt to support hashes

@andros@twtxt.andros.dev Sorry I missed your messages to #twtxt on IRC. There are people there, but it can take several hours to get a response. E.g. I check it every day or two. I recommend using an IRC bouncer. To answer your question about registries, I used a couple of registries when I first started out, to try to find feeds to follow, but haven’t since then. I don’t remember which ones, but they were easy to find with web searches.

I found 2 active Registries: tilde.instite and twtxt.envs.net . I think that is missing a repository or system for them to find each other. It is easy to share registry users. Your work is awesome! Maybe you are supporting twtxt with the pod and software around them. I am very busy with the Emacs client, but I like to work creating my own version of Registry using Django.

Are there any good Registry? I like to check the mentions.

@david@collantes.us Thanks, that’s good feedback to have. I wonder to what extent this already exists in registry servers and yarn pods. I haven’t really tried digging into the past in either one.

How interested would you be in changes in metadata and other comments in the feeds? I’m thinking of just permanently saving every version of each twtxt file that gets pulled, not just the twts. It wouldn’t be hard to do (though presenting the information in a sensible way is another matter). Compression should make storage a non-issue unless someone does something weird with their feed like shuffle the comments around every time I fetch it.

@prologic@twtxt.net I believe you when you say registries as designed today do not crawl. But when I first read the spec, it conjured in my mind a search engine. Now I don’t know how things work out in practice, but just based on reading, I don’t see why it can’t be an API for a crawling search engine. (In fact I don’t see anything in the spec indicating registry servers shouldn’t crawl.)

(I also noticed that https://twtxt.readthedocs.io/en/latest/user/registry.html recommends “The registries should sync each others user list by using the users endpoint”. If I understood that right, registering with one should be enough to appear on others, even if they don’t crawl.)

Does yarnd provide an API for finding twts? Is it similar?

@prologic@twtxt.net I guess I thought they were search engines. Anyway, the registry API looks like a decent one for searching for tweets. Could/should yarn.social pods implement the same API?

@prologic@twtxt.net What’s the difference between search.twtxt.net and the /api/plain/tweets endpoint of a registry? In my mind, a registry is a twtxt search engine. Or are registries not supposed to do their own crawling to discover new feeds?

@prologic@twtxt.net How does yarn.social’s API fix the problem of centralization? I still need to know whose API to use.

Say I see a twt beginning (#hash) and I want to look up the start of the thread. Is the idea that if that twt is hosted by a a yarn.social pod, it is likely to know the thread start, so I should query that particular pod for the hash? But what if no yarn.social pods are involved?

The community seems small enough that a registry server should be able to keep up, and I can have a couple of others as backups. Or I could crawl the list of feeds followed by whoever emitted the twt that prompted my query.

I have successfully used registry servers a little bit, e.g. to find a feed that mentioned a tag I was interested in. Was even thinking of making my own, if I get bored of my too many other projects :-)

@prologic@twtxt.net Yes, fetching the twt by hash from some service could be a good alternative, in case the twt I have does not @-mention the source. (Besides yarnd, maybe this should be part of the registry API? I don’t see fetch-by-hash in the registry API docs.)

Bringing npm registry services to GitHub Codespaces
The npm engineering team recently transitioned to using GitHub Codespaces for local development for npm registry services. This shift to Codespaces has substantially reduced the friction of our inner development loop and boosted developer productivity.

The post Bringing npm registry services to GitHub Codespaces appeared first on [The GitHub Blog] … ⌘ Read more

I’ve added myself to the registries at registry.twtxt.org and twtxt.tilde.institute. I wonder if there’s a list of registries. #meta

Right now I have to setup jenny for my timeline. Just added myself to the Registry so that part is done.

GitHub Enterprise Server 3.5 is now generally available
GitHub Enterprise Server 3.5 is available now, including access to the Container registry, the addition of Dependabot, enhanced administrator capabilities, and features for GitHub Advanced Security. ⌘ Read more

Enhanced 2FA experience for your npm account
Late last year, in response to an unprecedented series of account takeovers resulting from the compromise of developer accounts without 2FA enabled, we committed to a variety of enhancements to the npm registry to make two-factor authentication (2FA) adoption easier for developers. Today, we are launching a public beta for a significantly improved 2FA experience […] ⌘ Read more

Though twtxt registries never really took off gemini://warmedal.se/~antenna/twtxt.txt presents the last 7 days of twts known by Antenna in the registry format. It’s intended to be a help in discovering twt feeds in geminispace (there aren’t very many yet).

Enrolling all npm publishers in enhanced login verification and next steps for two-factor authentication enforcement
Today we’re introducing enhanced login verification to the npm registry, and we will begin a staged rollout to maintainers beginning Dec 7. ⌘ Read more

GitHub’s commitment to npm ecosystem security
We’re sharing details of recent incidents on the npm registry, our investigations, and how we’re continuing to invest in the security of npm. ⌘ Read more

The npm registry is deprecating TLS 1.0 and TLS 1.1
Beginning October 4, 2021, all connections to npm websites and the npm registry, including for package installation, must use TLS 1.2 or higher. ⌘ Read more

GitHub Packages Container registry is generally available ⌘ Read more…

Securing the open source supply chain by scanning for package registry credentials ⌘ Read more…

Introducing GitHub Container Registry ⌘ https://github.blog/2020-09-01-introducing-github-container-registry/

our getwtxt (registry server on https://twtxt.envs.net) is now on Version 0.4.13.

https://registry.twtxt.org << certificate has expired

005.00 POST: the registry sure is a little weird…idk, does it only pick up messages AFTER registration?

http://twtxt.tildeverse.org new twtxt registry! Enjoy!

http://twtxt.tildeverse.org new twtxt registry! Enjoy!

Band name of the day: the central premonitions registry

30 years later, QBasic is still the best | Personal Registry Editor http://www.nicolasbize.com/blog/30-years-later-qbasic-is-still-the-best/

We probably should put that in the registry spec. I use /tweets/by/$twturl but /tweets?by=$twturl would probably be more correct.

We probably should put that in the registry spec. I use /tweets/by/$twturl but /tweets?by=$twturl would probably be more correct.

@kas@enotty.dk, @dracoblue@dracoblue.net You’re right we should really use robots.txt for twtxt registries. Maybe i even add this as a option to #txtnix.

@kas@enotty.dk, @dracoblue@dracoblue.net You’re right we should really use robots.txt for twtxt registries. Maybe i even add this as a option to #txtnix.

It’s running since last night, supports the twtxt registry api and crawls the feed for new urls. #roster

It’s running since last night, supports the twtxt registry api and crawls the feed for new urls. #roster

You can even just call txtnit register to register at your friendly neighborhood’s registry.

You can even just call txtnit register to register at your friendly neighborhood’s registry.

#txtnix now has support for all registry endpoints, you can query tags, tweets, mentions and users.

#txtnix now has support for all registry endpoints, you can query tags, tweets, mentions and users.

@reednj@reednj.com Would you mind adding this functionality to your registry?

@reednj@reednj.com Would you mind adding this functionality to your registry?

If you’re registered with reednj, would you mind being automatically added the a registry? Is reednj just the registry that won? :)

If you’re registered with reednj, would you mind being automatically added the a registry? Is reednj just the registry that won? :)

Already registered with ?

Already registered with ?

Does anybody have an opinion about https://github.com/DracoBlue/twtxt-registry/issues/4?

Does anybody have an opinion about https://github.com/DracoBlue/twtxt-registry/issues/4?

Now i just have to figure out how to change my url at the registry… :)

Now i just have to figure out how to change my url at the registry… :)

txtnix v0.03 now has support for mentions via registries. Now, if just more users would use registries…

txtnix v0.03 now has support for mentions via registries. Now, if just more users would use registries…

@dracoblue@dracoblue.net It doesn’t seem to matter what page i request, the result is always the same? #registry

@dracoblue@dracoblue.net It doesn’t seem to matter what page i request, the result is always the same? #registry

it is interesting how the registries like http://twtxt.reednj.com/ are the things enforcing that nicks are unique