How does it work in practice, though? For example, create-react-app in NPM has a... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		HereBeBeasties on Feb 10, 2021 \| parent \| context \| favorite \| on: Dependency Confusion: How I Hacked Into Apple, Mic... How does it work in practice, though? For example, create-react-app in NPM has a bajillion deps. Do I trust 8,000 keys? Which ones are OK? I get that you could in principle namespace things (at least for package managers that support this) and insist on a small set of company-internal signing keys for those namespaces. But managing all that isn't easy and what about for package ecosystems that don't really have namespaces (e.g. PyPI, NuGet)?

baybal2 on Feb 10, 2021 [–]

> Do I trust 8,000 keys? Which ones are OK?

You can at least trust more 8000 developers whose keys are centrally signed, than 8000 packages thrown into signing CI tooling by who knows.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact