(scrolling the timeline, jaw drops) Welp, going to add "my vision of software freedom leads me to reject two-factor authentication on my source code repository" to examples for a future revision of my old talk on how "software freedom" is often a very selfish, libertarian, anti-liberation, anti-ally framing of software philosophy.
If your theory of software freedom is such that you reject basic security precautions that benefit others because they are inconvenient to you we are not allies.
@beamflash I am not an expert on npm, but that one of the top responses is "I am sure virtually everyone understands 'code signing' to mean what it has meant historically" and is talking about... pgp, suggests the issue is complicated (because lolololololololol at "virtually everyone understands" pgp).
@beamflash Obviously npm needs to take security seriously, but I'm extremely skeptical that in 2023 that pgp == seriousness, given the many known challenges with it.
@luis_in_brief Sure, PGP isn't the be-all and end-all these days, but an optional centrally managed signing service doesn't seem that great either. Looking into it more, it's more the developer's fault for blindly trusting code from a CDN (which is a pretty nifty attack vector). Just trying to link it back to the "security is hard, let's not worry" attitude that you are against.
Add comment