alt Hacker NewsIt is 100% up to the package manager's steward to control how ownership of packages and namespaces are granted.
Maven Central exists for decades the amount of incidents of people stealing namespaces is minimal.
One can't simply publish a package under the groupId "com.ycombinator" without having some way to verify that they own the domain ycombinator.com. Then, once a package is published, it is 100% immutable, even if it has malicious code in it. Certainly, that library is flagged everywhere as vulnerable.
It baffles me that NPM for so long couldn't replicate the same guardrails as Maven Central.
Replies
cluckindan • today at 2:40 AM
How does that protect against credential theft? MFA required to sign published releases?
➕ show 1 reply
Also....
Maven doesn't have "preinstall, install, post install", or " build.rs" for rust, executing arbitrary code during the installation.
The code that's executing with Maven is in your pom.xml, not some hidden code from a transient dependency.
That alone is a major design flaw in both npm and cargo.
Java is boring, because it works. People don't like boring stuff. It's more exciting to play the Russian roulette on each install!