I don’t understand how software signing handles the edge-case of “legitimate dev hands maintenance over to some rando” but I am excited to find out.
Conversation
I was curious about what the developer did to transfer over ownership of the project and noticed npm has no package signing so I mentioned that in a thread about this. I never said it would have prevented what happened. I was just surprised they didn't need to hand over a key.
1
The developer transferred ownership of the package on npm. They didn't give away their account so it was transparent that it was transferred to a new developer, although there was no announcement or notification. No one was verifying the releases or checking who was making them.
This Tweet was deleted by the Tweet author. Learn more
Who says he didn't understand the gravity of weeks he was doing? Also, given no-one was giving him anything in return for his work why should he give a fuck about your perception of gravity?
1
Show replies