| ▲ | thombles 3 days ago | |||||||||||||||||||||||||
I think if somebody wants to see library distribution channels tightened up they need to be very specific about what they would like to see changed and why it would be better, since it would appear that the status quo is serving what people actually want - being able to create and upload packages and update them when you want. > But right now there are still no signed dependencies and nothing stopping people using AI agents, or just plain old scripts, from creating thousands of junk or namesquatting repositories. This is as close as we get in this particular piece. So what's the alternative here exactly - do we want uploaders to sign up with Microsoft accounts? Some sort of developer vetting process? A curated lib store? I'm sure everybody will be thrilled if Microsoft does that to the JS ecosystem. (/s) I'm not seeing a great deal of difference between having someone's NPM creds and having someone's signing key. Let's make things better but let's also be precise, please. | ||||||||||||||||||||||||||
| ▲ | cube00 3 days ago | parent | next [-] | |||||||||||||||||||||||||
> But right now there are still no signed dependencies Considering these attacks are stealing API tokens by running code on developer's machines; I don't see how signing helps, attackers will just steal the private keys and sign their malware with those. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | izacus 3 days ago | parent | prev | next [-] | |||||||||||||||||||||||||
What are you talking about, NPM keeps having issues that "status quo" of other platforms doesn't. | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | lukan 3 days ago | parent | prev [-] | |||||||||||||||||||||||||
We treat code repositories as public infrastructure, but we don't want to pay for it, so corporations run them, with their profit interest in mind. This is the fundamental conflict, that I see. And one solution, more non profits as organisations behind them. | ||||||||||||||||||||||||||