Hacker News new | ask | show | jobs
by gilleain 493 days ago
So might it be useful to have some mechanism to check if the 'maintainer' (owner/principal committer/?? - what Peter Murray-Rust used to refer to as the 'Dr Who') changes?

Like, when bumping the version on a dependency, the security system could check if the maintainer has changed, then you could go and double-check any changes.
2 comments
bdhcuidbebe 493 days ago
We used to meed physically 15 years ago to exchange pgp keys, building verifiable chain of trust.

Its depressing to see these efforts ignored nowadays and the consequence being we still cant trust anyone online.

link
nradov 493 days ago
I assume there is also a black market for mature GitHub accounts. So you won't necessarily know if the maintainer is now a different person.
link
gilleain 493 days ago
Good point.

Also, where would the information be stored? If it was in the repo itself (as metadata) then the malicious maintainer could just not update it ...

link