related posts
110 sats \ 0 replies \ @orthzar 2 Nov 2022
Is this a joke? You can't fix NPM by requiring 2FA. This won't stop anyone from making malicious changes to their own packages (e.g. protestware). And this won't stop typosquatting.
The only way to fix NPM is for the people who run it to actually manage the repository. Linux distributions have shown how to do that decades ago, and it's not complicated:
- Assign a team of vetted people to decide what software to include in the repository (public uploads are forbidden).
- That team chooses when to update the software in the repository -- and developers have no say whatsoever.
- Software developers are explicitly forbidden from uploading their own code to the repository (e.g. if you're on the repo team, other's on the team have to approve your software).
By just applying the above principles, major Linux distributions have managed to avoid all of the problems that NPM has.
But NPM has a terminal case of Not Learned Here syndrome (which is a generalization of Not Invented Here syndrome). As a result, NPM suffers from the stupidest problems imaginable: protestware and typosquatting. The people who run NPM are extremely aware of those stupid problems, yet they refuse to apply the solutions that their forebears have proven to work.
I suspect the reason NPM persists in not learning the lessons of the past is that they somehow make money by running a wide-open repository that lets anyone with an internet connection upload packages to it. I don't know how they make money from that, but it's the only explanation that makes sense -- because actual idiots would at least have the humility to try to figure out how other people avoid problems.
reply