You can make a system with incentives to:
1 signing packages with long term identity keys
2 protect those keys.
Conversation
And if this person asked for ownership and checked out owner just handed over keys?
1
They may have done that. It may have made it clearer to them that they were transferring over a lot of trust to someone else, and they might have taken it more seriously and used a different approach. It can be helpful to have more friction for something like this.
1
1
I doubt the friction will be significantly greater than the UX to transfer GitHub repo ownership.
1
That's true, but I have the (perhaps wrong) impression that most people would take handing over control of a signing key more seriously than a repository on GitHub or a package on npm. It very explicitly involves trust / security so it's harder to ignore what should be obvious.
2
1
I think security and trust genuinely aren't on the radar of most developers. If they'd be more explicitly forced to consider that they were transferring over the trust placed in them by their downstream users, I think it's quite possible they would have done things differently.
2
1
I think you overestimate how much an explicit ⚠️ SECURITY ⚠️ flag affects the class of developers who will hand over entire ownership of their repo and publishing authority.
1
I don't mean a warning flag but rather something like a public log of added collaborators and requiring the owner to write a summary of why they're adding them just like they do for commit messages. Not entirely sure but I don't think people watching the repo even get notified.
1
And that feature would have prevented this situation?
1
Can't know if anything would have made them reconsider and made better decisions. All I'm saying is that it's incredibly easy to hand over control without giving it much thought. There's very little friction and it's presented as something very casual and harmless.
Either way, there were multiple steps across GitHub & npm to hand over full control to a third party, and the previous owner did them all. Signing keys would not have prevented such a 'determined insider adversary', and I doubt any of the mentioned nudges would have either.
1
It's not really the impression I got from reading the threads on the repository. BTW, the npm package does know ownership was transferred. He didn't give them his account but rather transferred ownership. He's still the owner on GitHub and gave them commit access AFAICT.
1
1
Show replies