I don’t understand how software signing handles the edge-case of “legitimate dev hands maintenance over to some rando” but I am excited to find out.
Conversation
Replying to
I'm definitely interested in systematic solutions to this problem. I think sandboxing would have made it harder to pull off, or at least made detecting it much easier. I don't think we'll ever avoid the need for auditing, but auditing could be much easier.
2
4
It's difficult to provide meaningful sandboxing at a language level between components. The language would need to support it and it would need to require explicitly delegating the desired / needed capabilities to the dependencies or it wouldn't reduce trust in the components.
1
2
Having it isolated and without direct capabilities beyond pure functions receiving parameters and returning results also doesn't mean it isn't trusted. Many of these npm libraries are for extremely basic functionality. In other ecosystems, a huge portion would be in the stdlib.
1
1
Rich standard libraries work well for other language ecosystems, as do larger external library projects. They took library modularity to the extreme. Instead of a couple trusted dependencies, applications depend on hundreds of tiny projects, mostly by 1 dev with no code review.
everything you say is true, luckily, some great minds who have been working on exactly all that for literally decades, and have even managed to sneak the necessary features into javascript: github.com/agoric/ses and erights.org
1
5