Y
Hacker News
new
|
ask
|
show
|
jobs
by
semiquaver
2 days ago
Ok? Not sure what a package manager can do about the fact that eventually you want to run the things you install.
1 comments
frabcus
1 day ago
Have any kind of provenance. eg like Debian has for 30 years. Key signing in person etc
link
tpetry
1 day ago
That has also been implemented recently. With staged publishing the author must verify a new release with 2FA so automated attacks dont work anymore. Some human in the loop must verify a release.
link