undefined | Better HN

0 pointsHereBeBeasties5y ago0 comments

How does it work in practice, though? For example, create-react-app in NPM has a bajillion deps. Do I trust 8,000 keys? Which ones are OK?

I get that you could in principle namespace things (at least for package managers that support this) and insist on a small set of company-internal signing keys for those namespaces. But managing all that isn't easy and what about for package ecosystems that don't really have namespaces (e.g. PyPI, NuGet)?

0 comments

baybal25y ago

> Do I trust 8,000 keys? Which ones are OK?

You can at least trust more 8000 developers whose keys are centrally signed, than 8000 packages thrown into signing CI tooling by who knows.

j / k navigate · click thread line to collapse

0 pointsHereBeBeasties5y ago0 comments

How does it work in practice, though? For example, create-react-app in NPM has a bajillion deps. Do I trust 8,000 keys? Which ones are OK?

0 comments

baybal25y ago

> Do I trust 8,000 keys? Which ones are OK?

You can at least trust more 8000 developers whose keys are centrally signed, than 8000 packages thrown into signing CI tooling by who knows.

j / k navigate · click thread line to collapse