undefined | Better HN

0 pointsmbreese4mo ago0 comments

I don’t buy this. I mean, I’m sympathetic to the issue. It’s easy for things to get jumbled when companies are young. But we’re talking about libraries that are used by your customers. To many, this is the externally visible interface to the company.

What you describe sounds like a process problem to me. If an $EARLY_EMPLOYEE if the only one with the deploy keys for what is a product of the company, then that’s a problem. If a deployment of that key library can be made without anyone approving it, that’s also a problem. But those are both people problems… and you can’t solve a people problem with a technical solution.

0 comments

woodruffw4mo ago

> But those are both people problems… and you can’t solve a people problem with a technical solution.

I don’t think it is a people problem in this case: the only reason there’s a person involved at all is because we’ve decided to introduce one as an intermediating party. A more misuse-resistant scheme disintermediates the human, because the human was never actually a mandatory part of the scheme.

mbreeseOP4mo ago

What person do you want to remove from the process?

woodruffw4mo ago

The person who intermediates the trust relationship between the index and the source repository. There’s no reason for the credential that links those two parties to be intermediated by a human; they’re two machine services talking.

(You obviously can’t disintermediate the human from maintenance or development!)

1 more reply

j / k navigate · click thread line to collapse

0 pointsmbreese4mo ago0 comments

0 comments

woodruffw4mo ago

> But those are both people problems… and you can’t solve a people problem with a technical solution.

mbreeseOP4mo ago

What person do you want to remove from the process?

woodruffw4mo ago

(You obviously can’t disintermediate the human from maintenance or development!)

1 more reply

j / k navigate · click thread line to collapse