undefined

points

[-]

So if I'm developing something I want to use and the community finds it useful but I take no contributions and no feature requests I should have to find another person to deal with?

How do I even know who to trust, and what prevents two people from conspiring together with a long con? Sounds great on the surface but I'm not sure you've thought it through.

by dec0dedab0de1 days ago|

parent|

[-]

It wouldn't prevent a project that has a goal of being purposely malicious, just from pushing out releases that aren't actually releases.

As far as who to trust, I could imagine the maintainers of different high-level projects helping each other out in this way.

Though, if you really must allow a single user to publish releases to the masses using existing shared social infrastructure. Then you could mitigate this type of attack by adding in a time delay, with the ability for users to flag. So instead of immediately going live, add in a release date, maybe even force them to mention the release date on an external system as well. The downside with that approach is that it would limit the ability to push out fixes as well.

But I think I am OK with saying if you're a solo developer, you need to bring someone else on board or host your builds yourself.

by vikarti16 hours ago|

parent|

[-]

Why not make it _optional_ but implement on github,etc so any publisher could enable this, no matter how small. But also make it possibel to disable either by support request and small wait or by secondary confirmation or via LONG (months) wait.

by worksonmine1 days ago|

parent|

prev|

[-]

Or just don't install every package on the earth. The only supply-chain attack I've been affected by is xz, and I don't think anyone was safe from that one. Your solution wouldn't have caught it.

Better to enforce good security standards than cripple the ecosystem.