A new npm / package registry signed with nostr keys
Inspired by nostr:nprofile1qy88wumn8ghj7mn0wvhxcmmv9uq3uamnwvaz7tmwdaehgu3dwp6kytnhv4kxcmmjv3jhytnwv46z7qpqaljazgxlpnpfp7n5sunlk3dvfp72456x6nezjw4sd850q879rxqsn5jz4f post on nostr:nprofile1qythwumn8ghj7ct5d3shxtnwdaehgu3wd3skuep0qyt8wumn8ghj7etyv4hzumn0wd68ytnvv9hxgtcqyzf8jfmtl7urem3nj3h9vnpkqz3jsspxn2pqd5qamaqvvset4g9ukgq8syn https://stacker.news/items/1223751
nostr:nprofile1qyt8wumn8ghj7cn9wehjumn0wd68yvfwvdhk6tcpremhxue69uhkummnw3ez6ur4vgh8wetvd3hhyer9wghxuet59uqzpkscaxrqqs8nhaynsahuz6c6jy4wtfhkl2x4zkwrmc4cyvaqmxz3023p0l nostr:nprofile1qyghwumn8ghj7mn0wd68ytnvv9hxgtcqypex583xrnryw3n5aq59uw23kwa38xlf5aeart85nhyx3kuxrgwpzjh056v nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqg7waehxw309anx2etywvhxummnw3ezucnpdejz7ur0wp6kcctjqqstwz8h8yh43pqxyykr3qh8kw7qmxcg6chet7shp5yezflvufmsuhs8c55a2 nostr:nprofile1qyv8wumn8ghj7urjv4kkjatd9ec8y6tdv9kzumn9wsq3yamnwvaz7tmsw4e8qmr9wpskwtn9wvqzpcs03gur430p2dnpq8qkprhy7vl63vkhjfgvav444z465su55mnujc3akf nostr:nprofile1qyx8wumn8ghj7cnjvghxjmcpz4mhxue69uhk2er9dchxummnw3ezumrpdejqqgzkxrzxv2rztc7kjat8y099xlequwj6qdfxvq2mq705qmfpmalyfchfx6e7 nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgewaehxw309a5xyu3wvdhhyctrd3jjuum0vd5kzmp0qqsq2gwmj5csjm0lwqxu7sgtq8d502m9nr08uhhjck3t6ls3vqc4has0y9wx8 nostr:nprofile1qy2hwumn8ghj7etyv4hzumn0wd68ytnvv9hxgqgdwaehxw309ahx7uewd3hkcqpqxv8mzscll8vvy5rsdw7dcqtd2j268a6yupr6gzqh86f2ulhy9kkqnmgc6z nostr:nprofile1qytzqamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcpr3mhxue69uhkummnw3ez6vfwde3x7tnpdenkzmnf9e3k7tcqypr90hlgjed73xq2jvrjhna4ukdx2yjyqmdslqvjzhh83wj8jd9numxx6g9 nostr:nprofile1qqsvrlrhw86l5sv06wkyjgs6rrcekskvk7nx8k50qn9m7mqgeqxjpvg8u2e5q
Then you add in the split payments with lightning/cashu, which nostr:nprofile1qytzqamnwvaz7tmjv4kxz7fwv3sk6atn9e5k7tcpr3mhxue69uhkummnw3ez6vfwde3x7tnpdenkzmnf9e3k7tcqypr90hlgjed73xq2jvrjhna4ukdx2yjyqmdslqvjzhh83wj8jd9numxx6g9 already has working (I think?)!
Signing with nostr keys vs gpg or whatever else wouldn't make much difference in case of compromise tho, unless you could really ensure that all package signing keys are using a hardware signer and that the key never left the signer (think hsm/hardware wallet) so that just a compromise of devs machine wouldn't be enough, you would also need physical access
Or using multisig approach with multiple parties needing to sign (and some of them not being known) could prevent some of it
True - that's a different problem and multisig is a good starting point to solve that. But you can use nostr web of trust for reputation! I see as nostr pgp with actual adoption
I know, but the reputation part doesnt solve the hacked part, hence my comment:)
As nostr:nprofile1qqsprwdgjszdhucrfelp3p46nhzvd5mk7gu6zxp8r0fwc4n63zv9pnspz3mhxue69uhhwmm59ehx7um5wghxuet59ucq863l mentioned zapstore is much better implementation of this because its higher up in the food chain, here you have layers so maybe the author of the lib you are using has high rep score with the author of the lib that his lib was using but not with you, the problem is that a tiny lib is not a finalized product so you can have multiple layers of reputation/trust in between, its not very informative at the point
Did someone jack the devs' keys? Or was it someone playing a long game (where reputation may help more)?
Do it for agents! That's where we have j curve potential. New app store is cool and I'm a huge fan of nostr:nprofile1qyghwumn8ghj7mn0wd68ytnvv9hxgtcqypex583xrnryw3n5aq59uw23kwa38xlf5aeart85nhyx3kuxrgwpzjh056v & nostr:nprofile1qy2hwumn8ghj7un9d3shjtnyv9kh2uewd9hj7qghwaehxw309aex2mrp0yhxummnw3ezucnpdejz7qpq0r8xl2njyepcw2zwv3a6dyufj4e4ajx86hz6v4ehu4gnpupxxp7s85uvay, but building for agents has way more mainstream potential imo
The initial step of this recent wave of npm hacks started with Qix being hacled, then another dev so it was not a long term infiltration like the xz utils attack last year https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
The agent marketplace is indeed interesting.
I don't see how it would fix the npm problem though, I second what aljaz and Justin said.
