WingNews logo WingNews
top | item 11345718

(no title)

raesene4 | 10 years ago

A big problem with Software repositories that don't allow for /enforce cryptographic signing by the developer is that this can happen...

Ideally the developer would sign before publishing and the consumer could check the signature to validate before using.

Whilst not a silver bullet this is a kind of essential part of a secure package management solution.

discuss

order

pvg|10 years ago

Plenty of repositories require signatures.

raesene4|10 years ago

for NPM? As far as I'm aware it's not even an available feature. None of rubygems/PyPi/NuGet require digital signatures...

What repositories were you thinking of that do require that?