I don't mean a warning flag but rather something like a public log of added collaborators and requiring the owner to write a summary of why they're adding them just like they do for commit messages. Not entirely sure but I don't think people watching the repo even get notified.
Conversation
And that feature would have prevented this situation?
1
Can't know if anything would have made them reconsider and made better decisions. All I'm saying is that it's incredibly easy to hand over control without giving it much thought. There's very little friction and it's presented as something very casual and harmless.
1
Either way, there were multiple steps across GitHub & npm to hand over full control to a third party, and the previous owner did them all. Signing keys would not have prevented such a 'determined insider adversary', and I doubt any of the mentioned nudges would have either.
1
It's not really the impression I got from reading the threads on the repository. BTW, the npm package does know ownership was transferred. He didn't give them his account but rather transferred ownership. He's still the owner on GitHub and gave them commit access AFAICT.
1
1
So even though they did this without announcing it or notifying users in any way, it was done out in the open. There was no attempt to hide that it was transferred to a new developer and people weren't aware because there was no notification or warning about an ownership change.
1
Maintainers no longer having time / interest in maintaining a project is a real issue and what he expressed. I get the impression he acted in good faith and didn't consider the consequences since he seemed to see it on the same level as maintaining something like a wiki page.
1
So, it's quite possible that signing keys and changes to the UI wouldn't have made a difference. However, I do think part of the problem was how casually he was able to turn over control via standard interfaces and it's treated as so normal that no one gets notified it happened.
1
1
The attacker was definitely very clever so I can believe they were very convincing. They implemented a requested feature (github.com/dominictarr/ev) using a library with a malicious backdoor that only kicked in when using as part of a cryptocurrency wallet:
github.com/dominictarr/ev
1
So, I think there are a lot of things that could have made this go differently. There was a maintainer desperate to hand the project off to someone else and they were able to do that very easily with low friction and without considering potential consequences of their actions.