[HN Gopher] Top-500 NPM package maintainers now require 2FA
___________________________________________________________________
Top-500 NPM package maintainers now require 2FA
Author : cute_boi
Score : 31 points
Date : 2022-05-31 19:10 UTC (3 hours ago)
(HTM) web link (github.blog)
(TXT) w3m dump (github.blog)
| mrtweetyhack wrote:
| bob1029 wrote:
| I feel like there are still too many hands in this particular
| cookie jar. MFA or no. On average, how many other organizations &
| human developers are somehow involved in the dependency graph of
| a modern node.js project?
|
| I fail to see how MFA resolves the fundamental trust equation.
| Bad code is bad code, doesn't matter what the authentication
| system says about the actor's identity. I can create 2FA-enabled
| GH accounts all day named after JK Rowling characters without
| anyone at GH sending me a security nastygram or banning me for
| identity violations.
|
| Until GitHub requires government-issued photo ID _in addition to_
| MFA, I don 't think you are going to properly discourage bad or
| criminal actors. To be clear: I strongly disagree with any notion
| that GitHub should _require_ photo ID to open an account. But,
| perhaps a "verified user" option (extending to "verified org" if
| all users are compliant) might provide another path.
| joekrill wrote:
| > I feel like there are still too many hands in this particular
| cookie jar. MFA or no. On average, how many other organizations
| & human developers are somehow involved in the dependency graph
| of a modern node.js project?
|
| What does that really matter, though? You could ask the same of
| _any_ modern application, NodeJS or otherwise: "On average, how
| many other organizations & human developers are somehow
| involved in the dependency graph of a modern application?".
| Look at your web browser alone. You have an open source
| rendering engine. The JavaScript engine. The underlying
| libraries used to handle things like SSL, TCP/IP, DNS lookups.
| It runs on an OS that likely has layers and layers of open
| source code. Which runs on hardware from various manufacturers
| with firmware written by many people spread across many
| organizations.
| doliveira wrote:
| Do we need to go this far? Why not just require a DNS which is
| what all of web security is centered around anyway?
|
| Most "serious" packages in Maven Central do have a dedicated
| DNS, for instance, even though there's the fallback of using
| io.github.username as the namespace. I feel like providing a
| namespace and starting to incentivize for it to correspond to a
| real DNS would be a good start.
| grenran wrote:
| > Until GitHub requires government-issued photo ID in addition
| to MFA, I don't think you are going to properly discourage bad
| or criminal actors.
|
| Yeah, no.
| rektide wrote:
| First, there absolutely should be better tools for authors to
| sign & authenticate their own tools, with heightened
| cryptographic authentication means. Projects like sigstore get
| this. But what's spoken of here is a deep imposition, and
| doesn't empower authors, but demands of them.
|
| > _I fail to see how MFA resolves the fundamental trust
| equation_
|
| Nothing ever will. Your desire for a cathedral is incompatible
| fundamentally & at every level with the bazaar.
|
| Trying to drive open-source society towards an industrialized
| security state for the convenience of your probably non-
| contributing, not-paying industrialized software production
| needs is vastly unfair.
|
| If you have needs, you need to take your own responsibility. If
| you have risks, you need to pay to hedge them. Go hire
| NodeSource to help you get the Certified Modules you can trust.
| Go sign contracts with authors to get the support you need.
| Heck, just checkin your package-lock.json and go see what you
| are downloading: npm is immutable! You could literally do
| anything to help safeguard yourself, but you ask for absolute
| protection, something that even the biggest best corporations
| can never truly promise. Trying to prevent even one reasonably
| placed malicious employee from causing disruption is a near
| impossible task. But you ask for a fundamental safety. This is
| laughable. None of us can expect nor deserve that.
|
| > _Until GitHub requires government-issued photo ID in addition
| to MFA_
|
| What a vile & fascist imposition this would be! Woe be unto us
| if industrialzied software so hotly presses for it's own
| security that it embraces such ludicrous & perverse a cowardice
| as this. Relying on github as your source of trust, and
| pressuring them to pressure the world into turning over core
| information, is just as antithetical as I can image to the open
| source behavior & society that has advanced us so far. What a
| terrible thing to wish for! Egads, gross.
| strawhatguy wrote:
| Thank you for writing this; far too much entitlement, far too
| much blame shifting in the parent comment.
|
| Ultimately problems with your code, including deps it pulls
| in, are your problem, no one else's. Code appropriately.
| yjftsjthsd-h wrote:
| > Until GitHub requires government-issued photo ID in addition
| to MFA, I don't think you are going to properly discourage bad
| or criminal actors.
|
| As a nice bonus, this is a great way to stop people from
| contributing to projects for free out of the goodness of their
| hearts. /s
| TAForObvReasons wrote:
| OpenSSF, which includes Google and Microsoft, has discussed
| real name verification requirements. That's definitely where
| the big money is pushing
| codedokode wrote:
| Sadly, 2FA won't help against malicious developer or a developer
| selling package to a malicious owner.
|
| Maybe ther should be a paid service that would manually review
| packages and provide a curated repository? I can't see other
| solutions. Either you review the code or you pay someone to do it
| or you isolate every library into a sandbox.
| doliveira wrote:
| At the very least Maven-style DNS-based namespaces would be
| quite welcome... Then these authentication schemes or even
| "reputation" becomes DNS based which is much easier to do.
| Instead of having this random cutoff of popularity.
|
| I don't really get why all these package managers don't copy
| this from the Java world.
| protomyth wrote:
| So, how exactly does this work for the random developer that
| somehow ends up in the top 500 but doesn't have 2FA turned on?
| sheetjs wrote:
| Hi, random developer that somehow ended up in the top 500 but
| didn't have 2FA turned on (https://www.npmjs.com/package/xlsx)!
| npm inc invalidated all of our authentication tokens in mid
| April and we have been unable to sign in via the web interface
| since then. Assumably the same fate befalls other random devs.
| smoldesu wrote:
| Sounds like a pretty bad policy if that inhibits your ability
| to respond to critical security flaws in your package.
| na85 wrote:
| The npm ecosystem has been shown over and over again to be
| a dysfunctional tire fire.
|
| I feel like at this point continuing to publish on npm is
| kind of a "that's what you get" situation.
___________________________________________________________________
(page generated 2022-05-31 23:00 UTC)