Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
rishabhaiover
59 days ago
|
parent
|
context
|
favorite
| on:
Shai-Hulud Returns: Over 300 NPM Packages Infected
Why can't package managers enforce attestations backed by a transparent log for each commit made to a public repository?
hashstring
59 days ago
|
next
[–]
They can, but what does it solve? If a malicious package gets pushed, who or what is the equivalent of the CA that you are you going to nuke?
rishabhaiover
59 days ago
|
parent
|
next
[–]
I was working with the assumption in this model the attestation is signed by ephemeral keys (OIDC) which would reveal the bad actor or give breadcrumbs. Enough to reduce incentives to hijack packages.
dboreham
59 days ago
|
prev
[–]
They can but that wasn't done in this case and isn't commonly done for various reasons.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
