Damus
Dr. Bruce Simpson · 7w
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpq9zsljfx8tjyzplququr9xmqctclx0qc2mw5xydzx0udqzrfade4qmtrtl5 I had a beard-stroking moment when I saw only 4 "approved" forges are there for PyPi's...
Dr. Bruce Simpson profile picture
@nprofile1q... One "ecosystem" that has its shit somewhat together is Golang, but that's an appeal to authority: you have to treat Google as the source-of-truth for SBOM security with the centralied Golang package database. AFAIK there is no federated equivalent, so it's not exactly democratic or Illich-convivial.
1
ARGVMI~1.PIF · 7w
nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyd968gmewwp6kyqpqgyhskthfz9c5yvf0nku9yurm6g77lz2leh3gh5zm8rdq7879xf8qk29k5f Npm treats Microsoft as the source of truth. The npm package database isn't the problem. The problem is that package maintainers are vulnerable to phishing.