Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptographically signed packages #15

victorb opened this issue Apr 24, 2019 · 1 comment


None yet
2 participants
Copy link

commented Apr 24, 2019

Before enabling publishing in Open-Registry, the idea is to require packages to be signed by the developers keys to avoid any problems with people being able to take over packages.


This comment has been minimized.

Copy link

commented May 15, 2019

This seems like it would be actually a layered process:

  • There needs to be a policy of how the registry deals with "unpublishing" and identity theft. How can a identity be restored if its lost once? Will there be a human way to recover an identity after losing keys to it?
  • Specify a authentication mechanism that utilizes the current NPM infrastructure to identify a user (i.e. in order to publish over an existing package, the last version needs to be signed)
  • Define a policy on conflicting versions - if the same project is published both to NPM & open-registry)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.