I don’t understand how software signing handles the edge-case of “legitimate dev hands maintenance over to some rando” but I am excited to find out.
Conversation
I was curious about what the developer did to transfer over ownership of the project and noticed npm has no package signing so I mentioned that in a thread about this. I never said it would have prevented what happened. I was just surprised they didn't need to hand over a key.
The developer transferred ownership of the package on npm. They didn't give away their account so it was transparent that it was transferred to a new developer, although there was no announcement or notification. No one was verifying the releases or checking who was making them.
1
This Tweet was deleted by the Tweet author. Learn more
Show replies