Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You can (almost) always set up different registries, this is not what GP is talking about. Java packages are named according to (reversed) domain names, e.g. the standard library is in net.java.*, and Java registries allow/require you to prove you own the corresponding domain (Let's Encrypt-style) using a DNS record before publishing a package.


Right, but suppose I depend on the org.example.foo package today, and next month someone else buys the example.org domain specifically so that they can insert their malicious code into the foo package?

Domain names simply do not eliminate supply–chain problems, they only make your packaging system dependent on DNS.


That's still a lot harder and more visible than just taking over an orphaned package or many of the other attacks we see in these other ecosystems.

Especially since DNS gives you real visibility into ownership when auditing/selecting packages.

org.apache is a lot more trustworthy than tk.helicopter.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: