|
|
|
|
|
|
by hyperpape
3079 days ago
|
|
|
(1) has the consequence that names are associated with the original creator long after they may no longer be involved. Package signing I can't tell if it's a good idea or not. It would require you to accept a new key in this case, but that is going to happen super frequently with NPM, inducing alert fatigue, and it doesn't do anything to prevent the authors' publishing credentials getting stolen. |
|
|
e.g. philipwhiuk/gnome moves to gnome/core and there's a version published to philipwhiuk/gnome that pulls in gnome/core