Thinking - we can trust packages with millions of installs because that's 1m...
Thinking
- we can trust packages with millions of installs because that's 1m people who haven't complained about a past problem
- we just need to worry about **that** trusted package being high-jacked
- this isn't a way to demonstrate initial trust
- we don't have to worry about it because each maintainer in the dependency graph will interpret trust the *same* way you do
-except for people adding a new dep because it looks useful
-except at some point someone does the first install of a package
Self-replies
package highjacking would be prevented by oauth to show that the code came from the same repo as usual, that the repo credentials are 2 factor
For new dependencies who don't have reputation by dint of 1 million installs (that is the blue check on pypi now, just is hard to see https://pypi.org/stats/ as if bluecheck membership was only published to big table, but it is there!) ... for those packages, we're trusting them by some other mean, like "Do I like the spelling of the readme.md" and...
I think we can do better.
(like rel=me and backlinks, until I can think of a better idea.)
package highjacking would be prevented by oauth to show that the code came from the same repo as usual, that the repo credentials are 2 factor
For new dependencies who don't have reputation by dint of 1 million installs (that is the blue check on pypi now, just is hard to see https://pypi.org/stats/ as if bluecheck membership was only published to big table, but it is there!) ... for those packages, we're trusting them by some other mean, like "Do I like the spelling of the readme.md" and...
I think we can do better.