← Back to context

Comment by yupyupyups

16 hours ago

Something helpful here would be to enable developers to optionally identify themselves. Not Discord-style where only the platform knows their real identity, but publically as well.

13 comments

yupyupyups

Reply
gruez  14 hours ago

So, EV code signing certificates? Windows has that, and it'll verify that right in the OS. Git for instance, shows as being signed by

CN = Johannes Schindelin O = Johannes Schindelin S = Nordrhein-Westfalen C = DE

Downside is the cost. Certificates cost hundreds of dollars per year. There's probably some room to reduce cost, but not by much. You also run into issues of paying some homeless person $50 to use their identity for cyber crimes.

  • brabel  6 hours ago

    You don’t need certificates , just use PGP keys like Maven.

    • gruez  4 hours ago

      PGP keys don't tell you anything about a developers "real identity". Theoretically theres some "web of trust", but realistically everyone just blindly downloads whatever PGP key is listed on the repo's install instructions.

  • mc32  13 hours ago

    How would the homeless chap have the creds or gravitas for people to trust him or her?

    • veeti  10 hours ago

      I don't really know who Johannes Schindelin is either but use git quite happily.

dcrazy  14 hours ago

This is what macOS codesigning does. Notarization goes one step further and anchors the signature to an Apple-owned CA to attest that Apple has tied the signature to an Apple developer account.

  • laserbeam  13 hours ago

    As I understand it, this attack works because the worm looks for improperly stored secrets/keys/credentials. Once it find them it publishes malicious versions of those packages. It hits NPM because it’s an easy target… but I could easily imagine it hitting pip or the repo of some other popular language.

    In principle, what’s stopping the technique from targeting macos CI runners which improperly store keys used for Notorization signing? Or… is it impossible to automate a publishing step for macos? Does that always require a human to do a manual thing from their account to get a project published?

morkalork  14 hours ago

You don't think bad actors don't have access to entire countries worth of stolen identities to use for supply chain attacks?

  • hirsin  14 hours ago

    This was largely the reason I rejected "real name verification" ideas at GitHub after the xz attack. (Especially if they are state sponsored) it's not that hard for a dedicated actor (which xz certainly was) to get a quality stolen identity.

    The inevitable evolution of such a feature is a button on your repo saying" block all contributors from China, Russia, and N other countries". I personally think that's the antithesis of OSS and therefore couldn't find the value in such a thing.

    • morkalork  13 hours ago

      That would be easily defeated by a VPN. The inevitable evolution would be some kind of in-person attestation of identity backed up with some kind of insurance on the contributor's work, and, well you're converging on the employer-employee relationship then.

      3 replies →