You can make a system with incentives to:
1 signing packages with long term identity keys
2 protect those keys.
This Tweet was deleted by the Tweet author. Learn more
Conversation
This Tweet was deleted by the Tweet author. Learn more
And if this person asked for ownership and checked out owner just handed over keys?
1
They may have done that. It may have made it clearer to them that they were transferring over a lot of trust to someone else, and they might have taken it more seriously and used a different approach. It can be helpful to have more friction for something like this.
1
1
I doubt the friction will be significantly greater than the UX to transfer GitHub repo ownership.
1
That's true, but I have the (perhaps wrong) impression that most people would take handing over control of a signing key more seriously than a repository on GitHub or a package on npm. It very explicitly involves trust / security so it's harder to ignore what should be obvious.
2
1
I think security and trust genuinely aren't on the radar of most developers. If they'd be more explicitly forced to consider that they were transferring over the trust placed in them by their downstream users, I think it's quite possible they would have done things differently.
2
1
GitHub doesn't try to make you consider the consequences of your actions, or to guide you into making secure decisions. They make it so easy to add a committer. You type their name and press add collaborator. It's incredibly easy to just accidentally add the wrong person.
2
It's a serious security decision with an impact on other people but it's presented as a social media add friend button. I can see how someone wouldn't take it seriously, if they're doing this as a hobby and they're never presented with any warnings or advice discouraging this.
If they had to run a command to do a key rotation to move to the other developer's key, I think they might have reconsidered. It's true they may have done it anyway or even given them a personal signing key with their email / name instead of rotating to a new key.