← Back to context

Comment by seanieb

2 months ago

There have been practical suggestions that could prevent this but NPM has not yet adopted:

- Prevent publishing new package versions for 24–48 hours after account credentials are changed.

- Require support for security keys.

4 comments

seanieb

Reply
lrvick  2 months ago

The most important is just having authors sign their code and packages, and verifying code that is signed on download, like every sane Linux distro goes.

Except NPM rejected this over and over going back to 2013.

https://github.com/npm/npm/pull/4016

  • andycaine  2 months ago

    Some of the reservations around GPG and PKI are understandable. GPG signing clearly works for OS package managers where there is more control, but it's been a failure on PyPi, RubyGems and Maven.

    I'd love to see npm adopt keyless signing like PyPi are doing with https://peps.python.org/pep-0740/.

    • lrvick  2 months ago

      Keyless signing is not a real thing. Trust online is always anchored to keys, even if short lived. Keyless signing just means letting a centralized oracle blind sign for you with trust anchored in a CA key of some kind in most cases, that an unknown number of people can tamper with.

      Also GnuPG is not PGP.

      My team and I dual PGP sign all packages in stagex with smartcards after confirmed determinstic builds. It works great, and avoids trust in any single party or computer. We even do this for all our python packages as pip will not allow it.

      It is a single command with a rust binary to setup a PGP smartcard out of the package, with a backup. (keyfork) All devs should be PGP signing releases, reviews, and commits so we have a paper trail blackhats cannot inject themselves into.

      There are no excuses other than misconceptions and misinformation on this topic being normalized.

      1 reply →