undefined | Better HN

0 pointsGehinnn5y ago0 comments

What about reviews and review certificates then? If you review a the package foo@1.0 you could publicly certify that it is not malicious and maybe earn some money with it. In turn, you back your claim with a financial security that you pay in case the package actually contains malicious code.

0 comments

josephg5y ago

Thats a great idea - but in a centralized system like npm or cargo you don't need certificates to implement that. (Certs might be a nice implementation though.)

So yeah, there might be a "trusted security reviews with payments" shaped technical solution. I'd love to see someone flesh that out - that sounds like a potential solution to this problem (unlike developer-signed packages).

j / k navigate · click thread line to collapse

0 pointsGehinnn5y ago0 comments

0 comments

josephg5y ago

Thats a great idea - but in a centralized system like npm or cargo you don't need certificates to implement that. (Certs might be a nice implementation though.)

j / k navigate · click thread line to collapse