Philip Harrison
Philip Harrison
I'm excited about the potential here! @jurre @mctofu 👋 This npm discussion rfc was created to improve the dx for developers wanting to update their deps but seems like it...
>Finally! This is one of the requirements for the most secure-sensitive organizations. @mcollina good to hear! > 1. How is the link between npm account, publish token, npm permissions, CI/CD,...
> This is a very detailed and thorough proposal and I think adding signatures/validation is a good direction overall. 👋 @mhdawson thanks! > 1. packages that have native code often...
@mhdawson > I had assumed that to maintain the trusted nature of the CI/CD there might be some limitations but maybe that does not make sense. Is the only thing...
> Why would we want to encourage build artifacts to ever be pushed to a git repo? Is there another alternative? @ljharb yes this isn't the best idea. I'm realising...
> while i agree, doesn’t that mean there’s no chain of custody, and provenance can’t be guaranteed? @ljharb my understanding is that as long as we can capture all inputs...
> the only thing that actually matters is "is anything shady in the package" - post-publish verification would answer that @ljharb yes this is ultimately true and post-publish verification helps...
> What signatures in a packument? If i can use npm to verify them, how can i use npm to generate them? @ljharb 👋 The current `dist.npm-signature` field that's [already...
> I’m a bit confused. You’re saying that all public npm registry packages have this signature automatically? Yep. So when you publish a package to npm, a signature is created...
> > Separately, I’d love some motivating examples of actual npm incidents where package signing would have prevented or mitigated the incident, to ensure that this doesn’t end up being...