That's really funny. I went to the github repo and saw my words copied and pasted from my blog into the description.
I'm not upset though, I think this is actually pretty cool. Good job for putting this together. I'm happy with people using this if they want to run it locally.
We use https://github.com/meltwater/secretary . The key differences with Secretary is that plaintext secrets are never stored to disk or otherwise made visible outside the container.
I am a Digital Ocean customer and the only password they've ever emailed me is the root password for the server I just bought. Arguably this isn't as safe as AWS' process of making you download a kaypair and only letting you login with that. However, VPS owners should get in the habit of logging on to any server they buy and immediately disabling password auth and root login via SSH, which helps negate the root password being sent over email issue to a certain extent.
How is downloading a key pair generated by someone else safer? If this is only for login purposes (I don't use AWS, so maybe there is another reason), you should generate your own key pair and send them only your public key (which doesn't require an encrypted transfer, BTW). If AWS knows your private key and can view it or provide it to you at anytime, that's no different than storing passwords in plaintext.
AWS generates the key pair client side, and never sees your private key. Also, you can just chose to upload your own public key that AWS will utilize (which is best practice).
AWS cannot view or provide you your private key at any time - once you click 'ok' on that javascript window, that private key is gone for good.
The keypair AWS generates can only be downloaded once, at the time of instance creation. Beyond that, they expect you to be in possession of the keypair when launching another instance that uses the same keypair. If you happen to lose the file, you're basically out of luck.
So to directly address your concern, you can't download the keypair at any point in time, it's just a one time thing. To me that seems much more secure than emailing out a root password and enabling password authentication by default.
I much prefer DigitalOcean's option of no root password and letting me upload my public key. There's no need for them ever to know my password or private key.
is there any small library ala "notjquery.js" that is a drop in replacement for jquery but that calls the browser native stuff directly ? serious question ?
You probably want something like Zepto.js. I'd also look into Lo-dash, which is a better, more functional-friendly version of Underscore.js that provides a ton of useful helper functions.
Be warned: Zepto doesn't claim to support any version of IE, so if you need IE support you'll want to fall back to jquery (yepnope works. Conditional HTML won't in IE10+).
jQuery does exactly that, with polyfills for browsers without the native implementation. jQuery 2.x does away with many of the polyfills since older IE versions aren't supported.
If you want an even smaller jQuery, you can build your own[0] without the modules you don't need.
