Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
hashstring
7mo ago
0 comments
Save
Share
They can, but what does it solve? If a malicious package gets pushed, who or what is the equivalent of the CA that you are you going to nuke?
0 comments
1 comments · 1 top-level
top
newest
oldest
rishabhaiover
7mo ago
I was working with the assumption in this model the attestation is signed by ephemeral keys (OIDC) which would reveal the bad actor or give breadcrumbs. Enough to reduce incentives to hijack packages.
j
/
k
navigate · click thread line to collapse
