Something helpful here would be to enable developers to optionally identify themselves. Not Discord-style where only the platform knows their real identity, but publically as well.

▲

gruez 7 hours ago | parent | next [-]

So, EV code signing certificates? Windows has that, and it'll verify that right in the OS. Git for instance, shows as being signed by

CN = Johannes Schindelin O = Johannes Schindelin S = Nordrhein-Westfalen C = DE

Downside is the cost. Certificates cost hundreds of dollars per year. There's probably some room to reduce cost, but not by much. You also run into issues of paying some homeless person $50 to use their identity for cyber crimes.

▲

mc32 6 hours ago | parent [-]

How would the homeless chap have the creds or gravitas for people to trust him or her?

	▲	veeti 3 hours ago \| parent [-]
		I don't really know who Johannes Schindelin is either but use git quite happily.

▲

dcrazy 6 hours ago | parent | prev | next [-]

This is what macOS codesigning does. Notarization goes one step further and anchors the signature to an Apple-owned CA to attest that Apple has tied the signature to an Apple developer account.

	▲	laserbeam 5 hours ago \| parent [-]
		As I understand it, this attack works because the worm looks for improperly stored secrets/keys/credentials. Once it find them it publishes malicious versions of those packages. It hits NPM because it’s an easy target… but I could easily imagine it hitting pip or the repo of some other popular language. In principle, what’s stopping the technique from targeting macos CI runners which improperly store keys used for Notorization signing? Or… is it impossible to automate a publishing step for macos? Does that always require a human to do a manual thing from their account to get a project published?

▲

morkalork 6 hours ago | parent | prev [-]

You don't think bad actors don't have access to entire countries worth of stolen identities to use for supply chain attacks?

▲

hirsin 6 hours ago | parent [-]

This was largely the reason I rejected "real name verification" ideas at GitHub after the xz attack. (Especially if they are state sponsored) it's not that hard for a dedicated actor (which xz certainly was) to get a quality stolen identity.

The inevitable evolution of such a feature is a button on your repo saying" block all contributors from China, Russia, and N other countries". I personally think that's the antithesis of OSS and therefore couldn't find the value in such a thing.

▲

morkalork 6 hours ago | parent [-]

That would be easily defeated by a VPN. The inevitable evolution would be some kind of in-person attestation of identity backed up with some kind of insurance on the contributor's work, and, well you're converging on the employer-employee relationship then.

	▲	berdario 22 minutes ago \| parent \| next [-]
		"defeated", yes "easily", not so much... As in, services can still detect if you're connecting through a VPN, and if you ever connect directly (because you forgot to enable the VPN), your real location might be detected. And the consequences there might not be "having to refresh the page with the VPN enabled", but instead: "find the whole organisation/project blocked, because of the connection of one contributor" This is why Comaps is using codeberg, after its predecessor (before the fork) project got locked by GitHub https://news.ycombinator.com/item?id=43525395 https://mastodon.social/@organicmaps/114155428924741370 Moreover, this kind of stuff is also the reason I stopped accessing Imgur: - if I try without VPN, imgur stops me, because of the UK's Online Safety Act - if I try with my personal VPN, I get a 403 error every single time I'm sure I could get around it by using a different service (e.g. Mullvad), but imgur is just not important enough for me to bother, so I just stopped accessing it altogether
	▲	hirsin 6 hours ago \| parent \| prev [-]
		Yep, I saw the cat and mouse ending at ever increasingly invasive verifications involving more parties, that could ultimately still be worked around by a state actor. We already get asked for "block access from these country ip ranges please" as a security measure despite it being trivially bypassed, so it is easy to predict a useless but strong demand for blocking users based on their verified country.