Hacker News new | past | comments | ask | show | jobs | submit login

I'm sure some security researcher is doing this, but we could easily create a visualization of "who has contributed over time" and identify transitioning of maintainers automatically just from git.

This might be worth doing and contributing to a site like bestofjs or libraries.io (I don't really use that one though!)




> who has contributed over time

When major security players insist that using GPG is bad, there is no way of knowing if bob@bob.bob is the same account that it was last month or not.


It is not the idea of GPG thats bad. In fact, the idea is great! The implementation of GPG however is quite another thing. Ease of use and user experience are really not that great with GPG. It is difficult to use even for developers. Developers are users too amd so on.


Try uploading a signed package on pypi. Sign it with sequoia instead of GPG if you like.

You'll receive an email asking you to stop uploading signatures.


you can sell/steal keys just as easily as accounts


Ok. Can you get my private key? Feel free to respond to this comment with my private GPG key.

I think guessing a password and getting lucky is much easier.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: