alt Hacker NewsWhy can't package managers enforce attestations backed by a transparent log for each commit made to a public repository?
Replies
dboreham • yesterday at 2:25 PM
They can but that wasn't done in this case and isn't commonly done for various reasons.
Why can't package managers enforce attestations backed by a transparent log for each commit made to a public repository?
They can but that wasn't done in this case and isn't commonly done for various reasons.
They can, but what does it solve? If a malicious package gets pushed, who or what is the equivalent of the CA that you are you going to nuke?