alt Hacker NewsCan we design something like virustotal setup? (https://en.wikipedia.org/wiki/VirusTotal)
NPM setup similar dl_files_security_sigs.db .database for all downloaded files from npm in all offline install? List all versions, latest mod date, multiple latest crypto signatures (shar256, etc) and have been reviewed by multiple security org/researchers, auto flag if any contents are not pure clear/clean txt...
If it detects anything (file date, size, crypto sigs) < N days and have not been thru M="enough" security reviews, the npm system will automatically raise a security flag and stop the install and auto trigger security review on those files.
With proper (default secure) setup, any new version of npm downloads (code, config, scripts) will auto trigger stop download and flagged for global security review by multiple folks/orgs.
When/if this setup available as NPM default, would it stop similar compromise from happen to NPM again? Can anyone think of anyway to hack around this?
Replies
> have been reviewed by multiple security org/researchers
I imagine reviewing all the code for all the packages for all the published versions gets really expensive. Who's paying for this?
How would you identify "security researchers" and tell them apart from the attacker in a trench coat?
After you've done that, why would these supposedly expert security researchers review random code in your package manager?