Reply to post: Re: "Loads of ways"

Microsoft's GitHub absorbs NPM into its code-hosting empire: JavaScript library vault used by 12 million devs now under Redmond's roof

Anonymous Coward
Anonymous Coward

Re: "Loads of ways"

> Who checks dev certificates

Your package manager. Every package manager which expects signed code has a mechanism for telling it which signatures are acceptable for which packages/repositories.

I imagine the chief difference from today's centralised systems would be that a change in ownership of a package would be an explicit action every package consumer would have to make (accepting the new dev's signing key for that package), rather than delegating that decision to the controllers of the repository.

> How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?

Trivial. It's called "creating a new package".

But how difficult is it to take that package, modify it, re-sign it with a certificate people trust, and pass it off as the same package from the same source as before?

Barring a disclosed private key, practically impossible.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon