Comment by pyrolistical

3 days ago

Seems like requiring 2FA to publish or trusted publishing should prevent the vast majority of this issue.

The only tricky bit would be to disallow approval own pull request when using trusted publishing. That should fall back to requiring 2FA

6 comments

pyrolistical

Reply
thayne  3 days ago

It also make it impossible to publish using CI, which is problematic for projects with frequent releases. And trusted publishing doesn't solve that if you use self-hosted CI.

  • fc417fc802  3 days ago

    > trusted publishing doesn't solve that if you use self-hosted CI

    Is there any particular reason for the whitelist approach? Standing on the sidelines it appears wholly unnecessary to me. Authentication that an artifact came from a given CI system seems orthogonal to the question of how much trust you place in a given CI system.

    • thayne  3 days ago

      Well, given that Github owns NPM, one potential reason could be vendor lock in.

      Also, from an implementation standpoint it is probably easier to make a system that just works for a handful of OIDC providers, than a more general solution. In particular, a general solution would require having a UI and maybe an API for registering NPM as a service provider for an identity provider of the package owner's choice.

      3 replies →