alt Hacker NewsLet me rephrase - manual security verification is a velocity blocker. People won't do manual security verification of changes.
I agree that npm.org requiring MFA is a good idea in general and in this case.
Let me rephrase - manual security verification is a velocity blocker. People won't do manual security verification of changes.
I agree that npm.org requiring MFA is a good idea in general and in this case.
Yup. As someone who's been on both the eng and security side, you cannot improve security by blocking the product bus. You're just going to get run over. Your job is to find ways of managing risk that work with the realities of software development.
And before anyone gets upset about that, every engineering discipline has these kind of risk tradeoffs. You can't build a bridge that'll last 5,000 years and costs half of our GDP, even though that's "safer". You build a bridge that balances usage, the environment, and good stewardship of taxpayer money.