| > How do you verify that? I think if they required a user or org-namespaced package name, you'd get that. For example, if https://exiftool-vendored.js.org was `@mceachen/exiftool-vendored`, or `@photostructure/exiftool-vendored`, it's explicit, in the package name, who you're trusting. > ... did someone get unauthorized access ... If they required publishing to be via 2FA-authenticated users, and (if I can dream), GPG-signed commits, I think you get most of the way there. Github is starting greenfield here, and it's frustrating they didn't (at least afaict) require these small steps. When I'm looking at a given package, I'd like: 1. Assurance that the package was published by the author
2. Assurance that the package contents were generated, in an externally repeatable way, from a release tag. It seems like they could have lifted 1. by requiring 2FA and GPG. It seems like their new Actions tab could have given us 2. It may, I can't tell from the demo. And when I update my dependencies, I also want to see the diffs from the version I'm updating from. Github already has nice comparison views for arbitrary commit shas, so this should be doable as well. |