Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
seanieb 3 days ago

There have been practical suggestions that could prevent this but NPM has not yet adopted:

- Prevent publishing new package versions for 24–48 hours after account credentials are changed.

- Require support for security keys.

lrvick 3 days ago | parent [-]

The most important is just having authors sign their code and packages, and verifying code that is signed on download, like every sane Linux distro goes.

Except NPM rejected this over and over going back to 2013.

https://github.com/npm/npm/pull/4016

andycaine 3 days ago | parent [-]

Some of the reservations around GPG and PKI are understandable. GPG signing clearly works for OS package managers where there is more control, but it's been a failure on PyPi, RubyGems and Maven.

I'd love to see npm adopt keyless signing like PyPi are doing with https://peps.python.org/pep-0740/.

lrvick 2 days ago | parent [-]

Keyless signing is not a real thing. Trust online is always anchored to keys, even if short lived. Keyless signing just means letting a centralized oracle blind sign for you with trust anchored in a CA key of some kind in most cases, that an unknown number of people can tamper with.

Also GnuPG is not PGP.

My team and I dual PGP sign all packages in stagex with smartcards after confirmed determinstic builds. It works great, and avoids trust in any single party or computer. We even do this for all our python packages as pip will not allow it.

It is a single command with a rust binary to setup a PGP smartcard out of the package, with a backup. (keyfork) All devs should be PGP signing releases, reviews, and commits so we have a paper trail blackhats cannot inject themselves into.

There are no excuses other than misconceptions and misinformation on this topic being normalized.

andycaine 2 days ago | parent [-]

That's great - PGP signing works for you in your org.

But the fact is it hasn't worked for package repos like PyPi, and it won't for npm, because in a distributed, low-trust ecosystem like npm, you can't easily bind identities to PGP keys or have any confidence in the key management practices of package signers.

And of course "keyless" signing isn't literally keyless. But tools like sigstore remove the need for the management of long-lived keys and can bind a signature to an identity verified by a trusted IdP, solving some of the main issues with adopting PGP signatures.