Comment by dboreham
2 months ago
Problem is that beyond some threshold number of authors, the probability they're all trustworthy falls to zero.
2 months ago
Problem is that beyond some threshold number of authors, the probability they're all trustworthy falls to zero.
It's true that smuggling multiple identities into the whitelist is one attack vector, and one reason why I said "cut down" rather than "eliminate". But that's not easy to do for most organizations.
For what it's worth, back when I was active at the ASF we used to vote on releases — you needed at least 3 positive votes from a whitelist of approved voters to publish a release outside the org and there was a cultural expectation of review. (Dunno if things have changed.) It would have been very difficult to duplicate this NPM attack against the upstream ASF release distribution system.