I don’t understand how software signing handles the edge-case of “legitimate dev hands maintenance over to some rando” but I am excited to find out.
Conversation
I was curious about what the developer did to transfer over ownership of the project and noticed npm has no package signing so I mentioned that in a thread about this. I never said it would have prevented what happened. I was just surprised they didn't need to hand over a key.
1
The developer transferred ownership of the package on npm. They didn't give away their account so it was transparent that it was transferred to a new developer, although there was no announcement or notification. No one was verifying the releases or checking who was making them.
1
This Tweet was deleted by the Tweet author. Learn more
Who says he didn't understand the gravity of weeks he was doing? Also, given no-one was giving him anything in return for his work why should he give a fuck about your perception of gravity?
1
Look, here's the thread that I assume was being referenced:
twitter.com/DanielMicay/st
I genuinely don't understand the hostility today.
I originally just left those 3 replies and then it became an unrelated argument about whether package signing is feasible / realistic.
Quote Tweet
Replying to @hdevalence and @bascule
If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.
1
I never said package signing was the solution to this problem and I also don't think I have a dissimilar opinion from you this. Maybe we disagree on some finer points but there's no point of getting mad at someone who agrees with you.
Quote Tweet
Replying to @DanielMicay and @encthenet
If you're making a product where security is critical and a lot is at stake if you get it wrong, like a cryptocurrency wallet, it's probably a good idea to carefully choose dependencies, figure out who you're trusting and make sure those projects have some resources for security.
Also, look at what he wrote himself: gist.github.com/dominictarr/9f particularly this article he links about the development approach used by a large part of that community: felixge.de/2013/03/11/the.