Comment by dylan604
I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install
I think the npm repos would like to have a word with you. Sure glad we've never had a cryptographically signed malicious package delivered via npm install
That's like moving the goal posts so you can still try to have a point after the fact. Your comment suggested that package manager was secure while curl | sh isn't because the package manager won't have a valid signature. That's only if the package manager was compromised. A code package that is built to be malicious will still get signed by your manager. Only now, people think they are secure because it was signed.
Couldn't I just publish a package? Then there's malware on the package manager wohooo
Thats like not wearing a seatbelt because you can still be crushed by a truck. Don't let perfect be the enemy of good. Package managers prevent some attacks that are possible via curl | sh. Some other attacks are still possible. It is still better than not cryptographically verifying the package.