Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If this were “the solution”, then the many, many smart individuals and teams tasked with solving these problems throughout the software industry would’ve been out of work for some time now.

It’s obviously more complicated than that.

Signed public builds don’t inherently mean jack. It highly depends on the underlying trust model.

Malicious actor: “we want to buy your browser extension, and your signing credentials”.

Plugin author: “Well, OK”.

Malicious actor: hijacks npm package and signs new release with new credentials

The vast majority of dependent project authors: at best, see a “new releaser” warning from their tooling, which is far from unusual for many dependencies. ignores After all, what are they going to do?.

Hacker News, as usual, loves to pretend it has all the answers to life’s problems, and the issue is that nobody has listened to them.



> Hacker News, as usual, loves to pretend it has all the answers to life’s problems, and the issue is that nobody has listened to them.

eh, it’s not just HN.

like, there’s no single technical/material solution to something as complex and widespread as humanity’s apparent base need to “get more stuff”. which is the root cause for acting maliciously — it’s just “getting more stuff” in a way that’s harmful to others.

but that won’t stop people from claiming that they can come up with a technical solution. whether that’s politicians, tech bros, HN commentators or that guy down the pub on a thursday evening.

that being said, signing software is better than doing nothing… so, a better way of phrasing it from the GP would probably have been it is a partial mitigation for the problem in some cases.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: