Comment by groby_b

2 months ago

> everything should be a library.

That's exactly npm's problem, though. What everybody is avoiding to say is that you need a concept of "trusted vendors". And, for the "OSS accelerates me" business crowd, that means paying for the stuff you use.

But who would want that when you're busy chasing "market fit".

5 comments

groby_b

CaptainOfCoit 2 months ago

> That's exactly npm's problem, though.

I don't think that's the problem with npm. The problem with npm is that no packages are signed, at all, so it ends up trivial for hackers to push new package versions, which they obviously shouldn't be able to do.

carols10cents 2 months ago
Since Shai-Hulud scanned maintainers' computers, if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?
That is, how does signing prevent publishing of malware, exactly?
- CaptainOfCoit 2 months ago
  
  > if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?
  Yeah, of course. Also if they hosted their private key for the signature on their public blog, anyone could use it for publishing.
  But for the sake of the argument, why don't we assume people are correctly using the thing we're talking about?
- lelanthran 2 months ago
  
  In past comments I said that a quick win would be to lean on certificates; those can't easily be forged once a certificate is accepted.
- yawaramin 2 months ago
  
  How did Shai-Hulud get access to maintainers' computers?