If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.
Conversation
Or they should have done the due diligence themselves. Blindly upgrading to a new version of the library from a different maintainer was their choice. How were they even verifying the sources? Doesn't sound like anything was signed, and an account takeover could have done this.
2
So apparently npm has no package signing. I didn't realize it was that bad. The previous developer didn't even need to hand over a signing key to the new developer, since nothing is being signed and verified anyway. What if they had simply chosen a bad / reused password for npm?
1
1
hard to imagine how package signing works without key management, and key management doesn’t work at scale, so i’m not sure this is a super fair criticism
1
1
2
I think TUF works well for managing a developer PKI and applying package AuthZ policies, however it’s also worth noting that would’ve done nothing to prevent this particular attack, since it was malware injected via transitive dependencies by an authorized publisher
1
There are language package managers with package signing. At the very least, pinning the key fingerprint on first use with a mechanism for automatically rotating to requiring signatures from additional new keys works well.
2
1
I'm not sure that end-user key management actually does work well for a system that operates at the scale that NPM does. Do you know what the largest deployment of such a package manager is?
2
I don't understand what scale has to do with it. Package signing works fine for many other package managers with a large scale. The basic trust on first use security properties don't require any end user key management or extra work on their part.
1
If you’re talking about things like Linux distros, those systems generally have automated signing by central build servers, or at the very least have no form of open enrollment.
1
I spent years working on Arch Linux and that's not how it worked at all. The package sources have pinned PGP key fingerprints which are used to automatically verify the sources. There are also pinned hashes for each version. Change of key is investigated.
git.archlinux.org/svntogit/packa
1
Developers build and sign the binary packages with their own keys. They're responsible for the security of their packages. The package manager trusts packages signed by a packager with at least 3/5 signatures from the master keys on their personal package signing key.
It doesn't incorporate have fancier things like reproducible builds and requiring multiple signatures, but the ecosystem is a long way away from that being possible across the board. It should also be noted that it is NOT a security focused / hardened distribution.
2
Arch Linux is entirely a project run by volunteers. The packagers aren't paid. The people developing the package manager (pacman) and build system (makepkg) aren't paid. It doesn't have a focus on security. Yet, they've done the basics of having a decent package signing system.
That sounds awful. I prefer my Linux distros securely compiled and signed by a central build system. All of this is orthogonal to language package managers.
1
It's not orthogonal to language package managers, and I don't think that trusting a server build server as a single central point of failure without individual accountability is better. An improvement is having reproducible builds and requiring multiple signatures.
1
1
Show replies