Since Shai-Hulud scanned maintainers' computers, if the signing key was stored there too (without a password), couldn't the attackers have published signed packages?
That is, how does signing prevent publishing of malware, exactly?
Yeah, npm has orders of magnitude more users than crates.io. This attack's success, or lack thereof, has no bearing on the savviness of JavaScript or Rust developers.
No maintainer is obligated to maintain access to a discussion space for their users.
> One now doesn't even know and cannot even estimate the number of other issues that must have gone unreported. It's not safe or wise to use a package that is so shrouded in mystery. It is in fact foolhardy.
Issues don't get reported for any number of reasons. All open source is use at your own risk.
Do not try to equalize the risk of using an open software where issues are allowed versus one where issues are not allowed. The risks are not the same. In blocking users from commenting, it is obvious that the authors of this software are trying to cover up for gross negligence and bugs.
Do you simultaneously believe "it is a maintainer's prerogative to ignore any public feedback they receive":
If maintainers don't want to address issues, they only have to ignore them.
and that disallowing comments on a temporary basis, starting in the last few days, is gross negligence?
And do you also believe that the offensive part of this scenario is that their users, who may or may not be compensating them but statistically are not, temporarily don't have a public venue in which to chastise them for a problem that was already responsibly solved in a previously released update?
Do not try to equalize a maintainer guarding their time and energy from having to deal with an issue that has already been fixed and users that refuse to search or read with trying to cover up for gross negligence and bugs.
There are better ways of dealing with it. For example, a particular issue can both be locked and pinned. The readme too can be updated to reflect the concerns. There is never a need to disable all user interaction. It is foul-play and it stinks of other major bugs that the authors don't want users to become aware of.
Damn, I was hoping this bridge would stay in its current limbo state where it's open to pedestrians and bikes but closed to vehicles. It's so much nicer not having a five lane stroad that lets cars go 50mph into a park, and instead having a pseudo-community space.
They could do that, but you'd be able to see that nobody/few outside their cluster signed any of their keys.
Let's say they have fake passports and physically appear at key signing parties. Now you're screwed because even your peers (that you thought know how to validate identities using passports) will get fooled.
That is, how does signing prevent publishing of malware, exactly?