[Pesthuf]

I feel like they could do a better job, though. In the postmortems of incidents you often hear it's because some maintainer got hit by the perfect phishing attack at the right time and they got tricked into entering password and TOTP into a phishing site. If that is so, why are we still allowing phishable credentials for logging into package repositories?

[Analemma_]

Multiple package managers are trying to move to ssh keys and other stronger forms of verification, as well as trying to outlaw binary tarballs and other such things. It's somewhat slow going: package owners sometimes get grouchy about this and drag their feet.

[cr125rider]

Which is wild we’re coming full circle. Everyone made these things easy to publish to so we could onboard newbies faster but then we all figured out that sacrificing security to save someone 10 minutes of reading was a bad idea.

Don’t get me started on everyone being git@github.com…

[junon]

Not quite the history as I remember it. These package managers were often created by small teams of people who originally didn't know they'd turn into Microsoft acquired corporations. The intent wasn't to onboard newbies. People just didn't have a reason to use insanely targeted attacks on OSS Things because OSS being used in such a widespread manner wasn't as common as it is today. It really feels like people have forgotten how things were back then.

[lelanthran]

> Multiple package managers are trying to move to ssh keys and other stronger forms of verification, as well as trying to outlaw binary tarballs and other such things.

What does binary tarballs have to do with it? Whether the package is in source form or in binary form, a long dependency chain attack is equally likely to succeed.