[HN Gopher] Top-500 NPM package maintainers now require 2FA ___________________________________________________________________ Top-500 NPM package maintainers now require 2FA Author : cute_boi Score : 31 points Date : 2022-05-31 19:10 UTC (3 hours ago) (HTM) web link (github.blog) (TXT) w3m dump (github.blog) | mrtweetyhack wrote: | bob1029 wrote: | I feel like there are still too many hands in this particular | cookie jar. MFA or no. On average, how many other organizations & | human developers are somehow involved in the dependency graph of | a modern node.js project? | | I fail to see how MFA resolves the fundamental trust equation. | Bad code is bad code, doesn't matter what the authentication | system says about the actor's identity. I can create 2FA-enabled | GH accounts all day named after JK Rowling characters without | anyone at GH sending me a security nastygram or banning me for | identity violations. | | Until GitHub requires government-issued photo ID _in addition to_ | MFA, I don 't think you are going to properly discourage bad or | criminal actors. To be clear: I strongly disagree with any notion | that GitHub should _require_ photo ID to open an account. But, | perhaps a "verified user" option (extending to "verified org" if | all users are compliant) might provide another path. | joekrill wrote: | > I feel like there are still too many hands in this particular | cookie jar. MFA or no. On average, how many other organizations | & human developers are somehow involved in the dependency graph | of a modern node.js project? | | What does that really matter, though? You could ask the same of | _any_ modern application, NodeJS or otherwise: "On average, how | many other organizations & human developers are somehow | involved in the dependency graph of a modern application?". | Look at your web browser alone. You have an open source | rendering engine. The JavaScript engine. The underlying | libraries used to handle things like SSL, TCP/IP, DNS lookups. | It runs on an OS that likely has layers and layers of open | source code. Which runs on hardware from various manufacturers | with firmware written by many people spread across many | organizations. | doliveira wrote: | Do we need to go this far? Why not just require a DNS which is | what all of web security is centered around anyway? | | Most "serious" packages in Maven Central do have a dedicated | DNS, for instance, even though there's the fallback of using | io.github.username as the namespace. I feel like providing a | namespace and starting to incentivize for it to correspond to a | real DNS would be a good start. | grenran wrote: | > Until GitHub requires government-issued photo ID in addition | to MFA, I don't think you are going to properly discourage bad | or criminal actors. | | Yeah, no. | rektide wrote: | First, there absolutely should be better tools for authors to | sign & authenticate their own tools, with heightened | cryptographic authentication means. Projects like sigstore get | this. But what's spoken of here is a deep imposition, and | doesn't empower authors, but demands of them. | | > _I fail to see how MFA resolves the fundamental trust | equation_ | | Nothing ever will. Your desire for a cathedral is incompatible | fundamentally & at every level with the bazaar. | | Trying to drive open-source society towards an industrialized | security state for the convenience of your probably non- | contributing, not-paying industrialized software production | needs is vastly unfair. | | If you have needs, you need to take your own responsibility. If | you have risks, you need to pay to hedge them. Go hire | NodeSource to help you get the Certified Modules you can trust. | Go sign contracts with authors to get the support you need. | Heck, just checkin your package-lock.json and go see what you | are downloading: npm is immutable! You could literally do | anything to help safeguard yourself, but you ask for absolute | protection, something that even the biggest best corporations | can never truly promise. Trying to prevent even one reasonably | placed malicious employee from causing disruption is a near | impossible task. But you ask for a fundamental safety. This is | laughable. None of us can expect nor deserve that. | | > _Until GitHub requires government-issued photo ID in addition | to MFA_ | | What a vile & fascist imposition this would be! Woe be unto us | if industrialzied software so hotly presses for it's own | security that it embraces such ludicrous & perverse a cowardice | as this. Relying on github as your source of trust, and | pressuring them to pressure the world into turning over core | information, is just as antithetical as I can image to the open | source behavior & society that has advanced us so far. What a | terrible thing to wish for! Egads, gross. | strawhatguy wrote: | Thank you for writing this; far too much entitlement, far too | much blame shifting in the parent comment. | | Ultimately problems with your code, including deps it pulls | in, are your problem, no one else's. Code appropriately. | yjftsjthsd-h wrote: | > Until GitHub requires government-issued photo ID in addition | to MFA, I don't think you are going to properly discourage bad | or criminal actors. | | As a nice bonus, this is a great way to stop people from | contributing to projects for free out of the goodness of their | hearts. /s | TAForObvReasons wrote: | OpenSSF, which includes Google and Microsoft, has discussed | real name verification requirements. That's definitely where | the big money is pushing | codedokode wrote: | Sadly, 2FA won't help against malicious developer or a developer | selling package to a malicious owner. | | Maybe ther should be a paid service that would manually review | packages and provide a curated repository? I can't see other | solutions. Either you review the code or you pay someone to do it | or you isolate every library into a sandbox. | doliveira wrote: | At the very least Maven-style DNS-based namespaces would be | quite welcome... Then these authentication schemes or even | "reputation" becomes DNS based which is much easier to do. | Instead of having this random cutoff of popularity. | | I don't really get why all these package managers don't copy | this from the Java world. | protomyth wrote: | So, how exactly does this work for the random developer that | somehow ends up in the top 500 but doesn't have 2FA turned on? | sheetjs wrote: | Hi, random developer that somehow ended up in the top 500 but | didn't have 2FA turned on (https://www.npmjs.com/package/xlsx)! | npm inc invalidated all of our authentication tokens in mid | April and we have been unable to sign in via the web interface | since then. Assumably the same fate befalls other random devs. | smoldesu wrote: | Sounds like a pretty bad policy if that inhibits your ability | to respond to critical security flaws in your package. | na85 wrote: | The npm ecosystem has been shown over and over again to be | a dysfunctional tire fire. | | I feel like at this point continuing to publish on npm is | kind of a "that's what you get" situation. ___________________________________________________________________ (page generated 2022-05-31 23:00 UTC)