alt Hacker NewsI see a future where there are LLM vetted repos for Java, Python, Go, etc... And it will cost $1 to submit a release candidate (even for open source)
edit: The idea is the $1 goes towards the tokens required to scan the source code by an LLM, not simply cost a dollar for no other reason that raising the bar.
First submission is full code scan, incremental releases the scanner focuses on the diffs.
Replies
That's what jfrog + artifactory is for, enterprise solved this problem long ago
This is an ideal place for LLMs to run (is this changelist a security change or otherwise suspicious?) but I don't think the tokens will be so expensive. For big platforms, transit costs more money - the top packages are something like 100M pulls per week.
As others have pointed out, this would not have stopped the current attack.
Your strategy sounds reasonable.
However, I don't believe it will work. Not because one dollar is that much money, but simply having to make a transaction in the first place is enough of a barrier — it's just not worth it. So most open source won't do it and the result will be that if you are requiring your software to have this validation, you will lose out on all the benefits.
It's kind of funny because most of the companies that would use the extra-secure software should reasonably be happy to pay for it, but I don't believe they will be able to.
It wouldn't help in this case, since the attacker was willing to pay.