|
|
|
|
|
|
by perpetualcrayon
2749 days ago
|
|
|
I don't think anyone would expect different behavior out of end users. But the "instant gratification" a malicious actor is seeking by asking to "maintain a package" will be delayed substantially. In fact, if you are straight up with folks telling them that you don't personally know who is now maintaining the fork, folks who do decide to trust them will know to proceed with caution and will probably watch the PRs on the repo for a period of time. So, technically not only are we delaying instant gratification of being given access to probably millions of "hits", we're forcing the malicious actor to actually maintain the package and gain the trust of the community independently before they can wreak havoc. Then over time if it's an important enough package there will probably be discussions or blog posts about the new maintainer and what a "fantastic" or "terrible" job they're now doing. |
|
|