[zarzavat]

There's an easy way to stop most supply chain attacks:

1. Publishing users must approve each and every release from a smartphone app.

2. Publishing users must provide verified government ID.

The first step prevents the types of attacks where an attacker gets control of a maintainer's computer and publishes a new release.

The second step discourages attacks where a user tries to get a malicious package used by others.

When combined with the security features that already exist, e.g. delays and automatic scanning, it would make it considerably harder to pull off a successful attack.

[hinkley]

No, because we've already had documented cases of people socially engineering exploits into OSS projects.

See also https://wikipedia.org/wiki/Confused_deputy_problem

You don't need permission to publish an exploit, you just need someone or something else to do it for you.

[ifwinterco]

Issue is this is such a pain (and shuts out a large percentage of the world population) that you'll inevitably get a parallel ecosystem of packages without these onerous controls that everyone would end up using.

I don't know how to square the circle but any variation of "make it safer but really painful and difficult for anyone to publish a package" has this problem

[inigyou]

How would this prevent Shai Halud?