I don't understand commercial aspect of large OSS like package managers but i was wondering for years why this was missing from npm.
I think typosquatting was handled by npm last year but only after some popular miss typed packages started stealing developer creds.
replyThe people building package managers are unaware of these problems going into it and it becomes extremely disruptive to start adding these things later on since your entire ecosystem is built on the assumption that they can do these things.
replyIt's also shockingly controversial to suggest typosquatting suggestions. I made this suggestion ages ago for cargo, demonstrated that basic distance checks would have impacted <1% of crates over all time, and people still didn't want it.
For those who didn't know what TUF means (like me), I think they're referring to The Update Framework (https://theupdateframework.io).
replySorry, I should have clarified that - you're correct. `cosign` is an example of a tool that makes this quite straightforward and proves that this sort of system can work today.
replyLove these ideas!
reply> Publishers to official registries should be forced to use 2FA. I proposed this a decade ago for crates.io and people lost their minds, like I was suggesting we drag developers to a shed to be shot.
replyHow is this enforced when it's pushed via a pipeline?
Your account is separate from your publishing. That is, in order to go to my account to change configuration values, 2FA must be required.
replyPublishing should be handled via something like Trusted Publishing, which would leverage short lived tokens and can integrate with cryptographic logs for publish information (ie: "Published from the main branch of this repo at this time").