Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptographically signed packages #15

Open
victorb opened this issue Apr 24, 2019 · 2 comments
Open

Cryptographically signed packages #15

victorb opened this issue Apr 24, 2019 · 2 comments

Comments

@victorb
Copy link
Member

@victorb victorb commented Apr 24, 2019

Before enabling publishing in Open-Registry, the idea is to require packages to be signed by the developers keys to avoid any problems with people being able to take over packages.

@martinheidegger
Copy link

@martinheidegger martinheidegger commented May 15, 2019

This seems like it would be actually a layered process:

  • There needs to be a policy of how the registry deals with "unpublishing" and identity theft. How can a identity be restored if its lost once? Will there be a human way to recover an identity after losing keys to it?
  • Specify a authentication mechanism that utilizes the current NPM infrastructure to identify a user (i.e. in order to publish over an existing package, the last version needs to be signed)
  • Define a policy on conflicting versions - if the same project is published both to NPM & open-registry)
@StefanGussner
Copy link

@StefanGussner StefanGussner commented Oct 11, 2019

Recovery can be achieved by providing a way to split a private key into n parts. Those parts can then be distributed to n trusted people.
Those people can all send those parts back if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants