Closed andrew closed 5 years ago
Some interesting discussions ruby community members had around package signing in rubygems.org back in 2013 after the registry had a security compromise that never shipped:
Found via https://guides.rubygems.org/security/
@andrew is this issue still needed to track this train of thought, or has it been superseded by other threads? (It is still an important point, I am just wondering if we covered it or documented it elsewhere as the project progressed.)
I think it can be closed
Many of the newer language package managers and registries have little or no support for package signing, and the ones that do don't always enforce signing of new packages, so the percentage of signed packages in a registry is often small.
As IPFS becomes a viable mirror to package managers, some security conscious users are going to want to be able to verify that the package content and/or it's metadata really did come from the upstream registry and haven't been tampered with.
Having a mirror on IPFS potentially offers registries verifiable backups in case of data loss or security compromises.
Inspired by an episode of The Manifest with The Update Framework, one approach we might be able to help with when bootstrapping mirrors (like registry.js.ipfs.io) is to sign the packages and metadata added on behalf of the registries.
I'm sure there are other methods that can be helpful in both giving the users confidence in the validity of the data and supporting registries and communities to become more aware of the security issues involved with package management.