Protecting the General Registry against credential compromise about general HOT 6 CLOSED

I am not sure if this issue here is the right place to discuss this - since security is always an ongoing concern and also a process. Perhaps this is part of a larger security discussion that can happen on discourse?

from general.

it boggles my mind that things would align such that this issue would be closed in this way, but i'm also just like, disillusioned that something so obvious can just sit here untriaged for months, so leave it closed noone cares.

this is even more relevant now that work on registrator is like, seriously ramping up and so much of that code is harshly and tightly bound to github. if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better. just wanted to be on the record saying "I was thinking about this at one point" in case shit goes wrong for y'all.

from general.

This is not the right place for this issue, which is why it didn't get any attention. When in doubt, post to discourse.

Is this registry appropriately protected against these sorts of problems?

Yes. We don't give out any access tokens to this repo. Very few people have commit bit here and the process of updating it is both automated and secured. Package authors do not need to have any privileges here, but they must have demonstrable privileges on their package repos.

Is there any work that needs to be done to make things safer?

One thing that occurs to me is requiring everyone who has access to this org to have 2FA turned on. I'll do that right away. (Done.)

if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better.

It's pretty simple: this is not the place for this kind of issue/discussion. If you open this kind of issue here, it may get overlooked as it did when you opened this issue in the first place.

from general.

i will gleefully pretend that i should have gone to discourse and that i'd have gotten better results there insofar as like, the other issues have plausibly actively been considered now. go team :D

from general.

its just like, no docs on where the right place to ask the questions u need answered are, and when u go to presumably the appropriate space the most important thing is like, yachts and not other cited scholars talking abt harmful discourse. i get it. reading links is a chore. telling people where you'll ignore them next is way easier

from general.

i'm pretty certain tho that im generally miffed that a language thats posed as essentially greedy, with infinite possibility over an unimaginable lattice of types is also like, at the same time run in a seemingly miserly way? very not greedy strategies to what is essentially a very powerful greedy technology. hard to shake the feeling that like, there was a bill of materials and i forgot that there was also no warranty

from general.