| ▲ | noodlesUK 4 hours ago | ||||||||||||||||||||||||||||||||||
I think that we should impose webauthn 2fa on all npm accounts as the only acceptable auth method if you have e.g., more than 1 million total downloads. Someone could pony up the cash to send out a few thousand yubikeys for this and we'd all be a lot safer. | |||||||||||||||||||||||||||||||||||
| ▲ | kelnos 5 minutes ago | parent | next [-] | ||||||||||||||||||||||||||||||||||
How would that work for CI release flows? I have my Rust crates, for example, set up to auto-publish whenever I push a tag to its repo. | |||||||||||||||||||||||||||||||||||
| ▲ | thewebguyd 4 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||
Why even put a package download count on it? Just require it for everything submitted to NPM. It's not hard. | |||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||
| ▲ | LtWorf 2 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||||||||
Pypi did that, i got 2 google keys for free. But I used them literally once, to create a token that never expires and that is what I actually use to upload on pypi. (I did a talk at minidebconf last year in toulouse about this). If implemented like this, it's completely useless, since there is actually no 2fa at all. Anyway the idea of making libre software developers work more is a bad idea. We do it for fun. If we have to do corporate stuff we want a corporate salary to go with. | |||||||||||||||||||||||||||||||||||
| ▲ | ForHackernews 2 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||
PyPI already has this. It was a little bit annoying when they imposed stricter security on maintainers, but I can see the need. | |||||||||||||||||||||||||||||||||||