| ▲ | nikcub 5 days ago | |
* passkeys * signed packages enforce it for the top x thousand most popular packages to start some basic hygiene about detecting unique new user login sessions would help as well | ||
| ▲ | SAI_Peregrinus 5 days ago | parent [-] | |
Requiring signed packages isn't enough, you have to enforce that signing can only be done with the approval of a trusted person. People will inevitably set up their CI system to sign packages, no human intervention needed. If they're smart & the CI system is capable of it they'll set it up to only build when a tag signed by someone approved to make releases is pushed, but far too often they'll just build if a tag is pushed without enforcing signature verification or even checking which contributors can make releases. Someone with access to an approved contributor's GitHub account can very often trigger the CI system to make a signed release, even without access to that contributor's commit signing key. | ||