[Rhapso]

Thanks, I really like the core ideas of ssb but the nodejs implementation and lack of a security review give me a lot of professional reservations. I'm inclined to fork and use a more off the shelf method of securing p2p connections. The practice of binding a "secure" web-server to localhost is also a bit [dubious](https://security.stackexchange.com/questions/86773/how-secur...).

[happynaut]

What's your reservations about it being implemented in nodejs? It's not my favourite technology stack either (I much prefer scala / haskell), but it hasn't deterred me from using it or contributing to the project.

I wonder if a security review is something that can be funded through the open collective that is being set up (https://opencollective.com/secure-scuttlebutt-consortium ) or some other funding source.

By the way, the repositories that I mentioned earlier for the Rust implementation of the protocol in progress are mostly here:

https://github.com/AljoschaMeyer?tab=repositories

[Rhapso]

I have issues with js as a language but those are not security issues. My security-related issues are with the nodejs package infrastructure.

https://www.csoonline.com/article/3214624/security/malicious... The sprawling dependencies alongside potential security/breaking issues are huge. It is a large and vulnerable attack surface.

[happynaut]

Fair play!