undefined | Better HN

0 pointsXorNot5y ago0 comments

At this point I really wish we'd just go with a proper cryptography model, with a discovery overlay to provide names.

What I want as a developer is to establish my trust relationship to developers of libraries I depend on.

`npm install <somepackage>` should first check a record of signing keys in my source code repo, then check a user-level record of signing keys I've trusted before, and then - and only then - add a tentative trust relationship if this is brand new.

`npm release` or whatever (npm is just an example - every system could benefit from this) - would then actually give me the list of new trust relationships needed, so I can go and do some validation that these are the packages I think they are.

0 comments

brabel5y ago

Maven Central has used PGP for adding "trust" to library authors since the 90's!

https://central.sonatype.org/pages/requirements.html#sign-fi...

If only people creating new package managers would bother to spend an hour or two learning prior art.

With npm, you can only add "trust" to npm itself LOL: https://docs.npmjs.com/about-pgp-signatures-for-packages-in-...

What a joke.

bayindirh5y ago

> If only people creating new package managers would bother to spend an hour or two learning prior art.

No, no... We should move fast and break things. We can implement this in a week because the old dinosaurs are too close minded to implement these things.

Today, the hardware is cheap and network is reliable. No need for any safeguards or security features.

wh33zle5y ago

You might be interested in `crev`: https://github.com/crev-dev

monoideism5y ago

Despite being very interested in Rust, this is the first I've heard of crev. It's a very cool project.

That said, it's interesting to me that several people are trying to get the project to drop the Web of Trust, and focus on code reviews. I'm the exact opposite - the code reviews are an interesting, experimental approach, but I'm interested in the project because of the cryptographic Web of Trust. Any use of dev-originated code signing in a package ecosystem is great. For this reason, I'd love for this to get major pickup from Rust, and beyond.

Finally, I am a bit wary because the project is starting to look moribund. It's important for projects like these to know that the maintainer is in it for the long haul, even if there's initially very little adoption. When the project founder writes that they're in a "fight for survival", it makes me think they may abandon the project if it doesn't get significant adoption.

j / k navigate · click thread line to collapse