Y
Hacker News
new
|
ask
|
show
|
jobs
by
lrvick
26 days ago
But a maintainer could merge their own PR created by a pseudonym, and signing is not required, so in effect, they can ship any changes to their own packages they wish. This is a major supply chain security risk.