Cryptographically signed packages

[victorb]

Before enabling publishing in Open-Registry, the idea is to require packages to be signed by the developers keys to avoid any problems with people being able to take over packages.

[martinheidegger]

This seems like it would be actually a layered process:

• There needs to be a policy of how the registry deals with "unpublishing" and identity theft. How can a identity be restored if its lost once? Will there be a human way to recover an identity after losing keys to it?
• Specify a authentication mechanism that utilizes the current NPM infrastructure to identify a user (i.e. in order to publish over an existing package, the last version needs to be signed)
• Define a policy on conflicting versions - if the same project is published both to NPM & open-registry)

[StefanGussner]

Recovery can be achieved by providing a way to split a private key into n parts. Those parts can then be distributed to n trusted people. Those people can all send those parts back if needed.