| ▲ | ignoramous 5 days ago | |
> Can package publishing platforms PLEASE start SIGNING emails I am skeptical this solves phising & not add to more woes (would you blindly click on links if the email was signed?), but if we are going to suggest public key cryptography, then: NPM could let package publishers choose if only signed packages must be released and consumers decide if they will only depend on signed packages. I guess, for attackers, that moves the target from compromising a publisher account to getting hold of the keys, but that's going to be impossible... as private keys never leave the SSM/HSM, right? > Get them to distrust any unsigned email, no matter how convincing it looks. For shops of any important consequence, email security is table stakes, at this point: https://www.lse.ac.uk/research/research-for-the-world/societ... | ||
| ▲ | elric 5 days ago | parent [-] | |
I don't think signed email would solve phishing in general. But for a service by-and-for programmers, I think it at least stands a chance. Signing the packages seems like low hanging fruit as well, if that isn't already being done. But I'm skeptical that those keys are as safe as they should be; IIRC someone recently abused a big in a Github pipeline to execute arbitrary code and managed to publish packages in that way. Which seems like an insane vulnerability class to me, and probably an inevitable consequence of centralising so many things on github. | ||