| ▲ | NiloCK 4 hours ago | ||||||||||||||||||||||
This is a credentials and access list oAuth style problem, and not really intractable. For package X, I should be able to present my npm (homebrew, apt, nuget, etc) credentials with publishing rights for the package. If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing. Yes, we still are trusting trust, that the owner of the package itself is not malicious, but that's not a sharp degradation from status quo. | |||||||||||||||||||||||
| ▲ | Retr0id 4 hours ago | parent | next [-] | ||||||||||||||||||||||
This is not tractable, because there is nothing stopping me from copy-pasting someone else's project into my own namespace. Under most OSS licenses I have express permission to do so. If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project. Finally, the meatspace status quo is that it is totally acceptable to pay someone to find security bugs in someone else's open-source software, such as the Linux kernel. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | sophrosyne42 3 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
You are talking about creating a big moat, which might be a worse precedent than removing fable access altogether. | |||||||||||||||||||||||
| ▲ | Yossarrian22 3 hours ago | parent | prev [-] | ||||||||||||||||||||||
And what if I’m a crazy person and want to fork the Linux kernel as I’m legally allowed to do? | |||||||||||||||||||||||
| |||||||||||||||||||||||