| ▲ | thewebguyd 3 hours ago | |
> Some other controls could at least alleviate the problem The biggest one I'd suggest they change immediately is remove the ability for anyone to just take over an orphaned package. That's a crazy policy, to me. It should require you to fork it & resubmit, not take over the original. Then they can go through and do purges of orphaned packages that are beyond a certain age. | ||
| ▲ | xnzakg 2 hours ago | parent [-] | |
How would this help against someone submitting an actual, non-compromised version bump, then adding malware once it's accepted? | ||