Josh welcomes Jordi Boggiano the lead maintainer of Composer and Packagist to explain the truckload of security features they’ve recently added. Packagist is the PHP package registry, Composer is the dependency manager for PHP. Recently the people behind these projects have added a number of security features that will improve the security of the entire ecosystem. Jordi explains it all to us and gives a glimpse of what’s coming next.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, open source security is talking to Jordi Boggiano. He’s the lead maintainer of Composer and Packagist, and Jordi caught my attention. ⁓ it’s been a probably a week or two now.

for some blog posts that that you wrote. Well, I guess your your colleagues wrote, maybe. We’ll we’ll say whatever. Details. But why don’t you introduce yourself, tell us what composer and Packagist are and we’ll go from there. Cause I am like I am so excited for this one. I feel like the future is finally here.

Jordi Boggiano (00:15) Yeah.

Okay, so hi. Yeah, so I’m Jordi. I have been maintaining Composer now, which is the PHP dependency manager for, what is it now, 15 years. So it’s been a while. And 10 years ago, we started a company as well called Private Packagist

to help us kind of fund the open source development. ⁓ And so that’s, guess that’s all the blog posts you read that were, those were written by colleagues there at the company ⁓ because we had, ⁓ so yeah, just, sorry, I’m gonna go back to the, what you actually asked me. So you have Composer with the dependency manager packagist.org is the…

just for anyone not familiar with the PHP ecosystem, ⁓ that’s the package repository or registry. So that’s where you go and browse for finding libraries, et cetera. And then private packagist is the thing we sell, which is packagist.com So it’s kind of like just security related services for businesses working with Composer and PHP.

⁓ and yeah, we had, we had recently, we kind of took two weeks, ⁓ out of the regular schedule and just said, okay, we’ll ignore everything else for, for two weeks and try and ship stuff as soon as, as fast as possible and, and try and communicate a lot about what we’re doing and what we’re planning. And that’s why we, we wrote like almost a blog post per day for those two weeks. So it’s.

It’s been very busy.

Josh Bressers (02:23) Wait, you did this

all in two weeks?

Jordi Boggiano (02:26) I mean, I think a bunch of the shipping features, some of them were kind of in the pipeline, we just trying to push them out and some of the little things we did during those two weeks, but mostly the communication aspect was also a big focus there. Yeah.

Josh Bressers (02:45) Okay. Okay. Okay, so let’s start with your

blog post then. Cause the I’m gonna start with a post that it’s just titled An Update on Composer and Packages Supply Chain Security. And I think this one, I mean, this is the one that caught my attention. I think it sets the stage for everything else I’ve I’ve seen. And I’ll put links to all this stuff in the show notes for anyone interested. But I’ll I’ll just go to your TLDR because I feel like there’s three things you did right away, it looks like, that are

Jordi Boggiano (02:58) Alright.

Yeah.

Josh Bressers (03:13) I I I think are very impressive. And your your things coming are phenomenal in my opinion. So number one, you’ve got Aikido, who I talked to Charlie Eriksen from Aikido like couple months ago on the show. Like Aikido’s doing amazing work on understanding malware and and just mal malicious things in open source. Aikido, you’re you’re running Aquito malware detection in packagist.org. You’ve got ⁓

Jordi Boggiano (03:25) Hmm?

Yeah.

Mm-hmm.

Josh Bressers (03:39) ⁓ rapid manual incident response by the packagist team. You’ll have to tell us what that means because I don’t totally understand. And you have a public transparency log, which I think is really cool. So I will let you address those three things in the order of your choosing, but I think all of them feel like a big deal.

Jordi Boggiano (03:53) So Aikido, started that in April, I think. So in April, we got the feed and we started synchronizing. So they gave us access, what is it, like CC by license to the malware feed.

so that we can kind of copy all the data and just like publish it on the website as well and make it accessible to composer as a client. So the actual composer release that happened two weeks ago, I believe, where we finally got that ⁓ into the client. So that now we check really like on install and on update. ⁓

Like before installing, we check if any of the versions you’re gonna install are known to contain malware and if they do, we just block it.

Josh Bressers (05:02) And you have a blog post in

this. I that one’s called blocking malware downloads for every composer version, which is it’s pretty cool. I like it.

Jordi Boggiano (05:07) Yeah.

Yeah, that’s another aspect of private packagist where we try to also help some of the customers that are not able to update to the latest Composer version for whatever complicated reasons sometimes. ⁓ And so we do the blocking at the server level there for them because we can act as an intermediary there. It’s a little bit easier. ⁓

Josh Bressers (05:30) Yes.

Okay, so let me ask

you a question. And here’s what I think I read in the post, but you tell me if I got this right. So the private registry, you you just it it doesn’t appear, right? And this is I assume they can your customers can set whether they want this behavior where if Akido flags it, you just don’t show it. But for the public registry, if Akido flags it, it will the new version of of Composer will not install it.

Jordi Boggiano (05:44) Mm-hmm.

Josh Bressers (06:07) And warn you, which you can undo and be like, no, no, I I don’t go away, Akido. But then your team is also, and I guess this is like the second thing where you have the, what’d you call it, the rapid manual incident response, where your team vets those findings and determines if it’s a true positive or a false positive. And obviously at that point you remove it from the public registry. Did I get that right?

Jordi Boggiano (06:07) Right.

Bye.

the incident, yeah.

Yeah, so I think that’s something we’re still kind of trying to figure out because it’s so far, I would say, all but two of them were kind of all the reports they sent us were, you know, just random little packagist that nobody’s using. And for those, it’s not too bad. Like if you just leave them lying around, you warn people like chances of something bad really happening are fairly low.

Josh Bressers (06:50) Yeah, yeah.

Jordi Boggiano (07:00) But we’ve had, I think, two incidents now in the last few weeks where it was actually like packagist that are in heavy use and somehow the maintainers got hacked or like one of the maintainers got hacked ⁓ and they managed to publish a new version on GitHub with malware in it. ⁓ These are much trickier cases because yes, you do want to intervene.

You want to make sure to stop the spread as fast as possible. So you avoid cases like all the Shai-Hulud stuff in the NPM ecosystem where things start self-replicating. This is really bad.

Josh Bressers (07:34) Yeah, yeah.

I know.

Jordi Boggiano (07:50) So yeah, that point, think it’s the response aspect right now. What we do is usually Aikido or with ⁓ also socket.dev is both of them, have a Slack channel with them. And so if they spot anything bad, just ping us.

Usually that’s on a Saturday morning at 2 AM because that’s when these things happen. But yeah, we do our best given the times on the Twitter to act as fast as possible. And so yeah, so we just take a look and try to take appropriate actions. But we’re still kind of working on a playbook there and like how, you know.

Josh Bressers (08:20) Yeah. Of course.

Yeah, yeah.

Jordi Boggiano (08:47) figuring out how to best handle these. Also, we’ll still have to develop some workflows on our end so that we can block things a little bit cleaner than just with the existing tooling we had in place. Like we could just delete stuff, but it was fairly rough and not necessarily preventing new malware from happening. I think we really need to still figure out that. But it’s progress.

Josh Bressers (09:14) Yeah, yeah. Well, okay, so I want to actually

ask about kind of related to that is one of your posts talks about, ⁓ and I think this is only for your private registry, the the cut the paying customers, but this this is a cool feature. So it’s in correct me if I’m wrong, but it sounds like you can restrict what versions of Composer your clients are allowed to connect with. So you could you can say, like for example, you just talked about, you know, the s new versions of Composer block block malware, old versions don’t.

Jordi Boggiano (09:18) huh.

Mm-hmm.

Yes.

Yeah.

Josh Bressers (09:43) And

so I as an organization could say, I do not want any old versions of Composer to connect to my private registry under any circumstances. And it just obvi it fails. Like that is cool, man.

Jordi Boggiano (09:53) Right, right, right.

Yeah, it’s something, know, it’s just the more we look at it, we’re like, oh yeah, there’s this vector which we’re not covering yet, right? And then you start, because that’s really the problem in like, in big organizations where you do want to control this. It’s just, it’s difficult. If you have a thousand developers, like it’s…

It’s very difficult to run control. Like what is everyone doing on their machine? Do they run the proper up to date version, et cetera. So yeah, this is one aspect of that. ⁓ But then another angle on this is also like we’ve noticed like with Claude or other LLMs, if you tell them, if you show them an error message saying, hey, this package.

Josh Bressers (10:29) Yes.

Jordi Boggiano (10:51) contains malware, so it cannot be installed. So with this, standard error message we’re showing there, which hints at how you can bypass the warning if you need to, because we’re trying to be helpful. we you know, we wanna make sure that people know how to remove this if there’s something that’s flagged incorrectly or something. The problem is, yeah, you feed that into an LLM and it goes like,

Well, I can just do that to bypass the warning and install the package. And so if you have agents like that running with little or no supervision, it’s like quickly you’re going to end up bypassing the rules, which is not great. So we’re also thinking about how we can address that and enforce some rules at the registry level so that…

Josh Bressers (11:24) Yup. Yup.

Jordi Boggiano (11:50) So the registry can really say, all the clients need to enforce the malware ⁓ filtering and like block doors and kind of just follow the policy there and not like, know, that you cannot override the policy on the client side, but that’s really the server enforcing it, which we cannot really do for the public like open source registry, but for the private one, it’s…

Josh Bressers (12:18) Okay, I mean, so that’s gonna be that’s

a question people have, right? Is why can’t you do that for the public registry? And you and I both know why this is, right? But it’s not I mean, I don’t think people understand how just far behind a lot of, you know, CI systems and containers are.

Jordi Boggiano (12:20) Easy.

Yeah, that’s one aspect for sure. There’s ⁓ millions of systems running random versions out there. But even then, think it’s… Even if you assume everyone was running latest, et cetera, there’s still just the odd chance that Aikido flags something very popular as malware, even though they messed up. There’s a chance, right?

Josh Bressers (12:44) Yeah, yeah.

Yes.

Jordi Boggiano (13:05) ⁓ and so suddenly, I don’t know, like a super popular package can’t be installed anywhere because they flagged it and people have no way to bypass that. That would be a pretty bad day, I would think. So.

Josh Bressers (13:20) Right, right. And and there’s also people love to say people love to say, who cares? That break the builds, it’s fine. But we saw that was that was at left pad in the NPM world, where like an enormous amount of the internet just went down because we obviously had as soon as CI breaks, like the website breaks and now services are gone, which is terrible.

Jordi Boggiano (13:22) So I think it should be obtained.

Yeah.

Yeah, yeah.

Yeah.

Yeah, this cascades to like unpredictable situations.

Josh Bressers (13:46) Yeah, I mean

you have an impossible job because no matter what you do, someone’s gonna be mad at you. Like

Jordi Boggiano (13:53) To some extent, yes.

Josh Bressers (13:54) There there’s no way out.

That’s why I will say, like, I’m always appreciative when anyone who works on a public registry finds time to talk to me because I know like how terrible and horrible your job is. No matter what you tell me on this show, someone’s going to complain to you about it. So it is I I do appreciate that. All right. I want to ask about your public transparency log, because this one feels

Jordi Boggiano (14:17) Mm-hmm.

Josh Bressers (14:19) interesting to me. I don’t know of any other public registries that are creating a public transparency log of kind of what’s going on. And and in all seriousness, I don’t totally understand what this is or what it’s going to do. I’ve not if you have a blog post, I’ve not found it yet.

Jordi Boggiano (14:31) Yep.

No, it’s in the pipeline. ⁓ Now we have actually, had a meeting after FOSDEM in January, think, ⁓ Brussels with all or not all, but I don’t know, 20 or something different package registries were there present, ⁓ like represented by one or two people. And so that was very interesting.

Josh Bressers (14:37) That’s fine. I get it.

Nice.

Jordi Boggiano (15:03) I had a good chat there and from that, I gather that I think you’re right. I don’t think any other has really a transparency log. They probably have some amount of internal logging and audit log capabilities, but yeah, we really wanted to make this public.

⁓ What we still are missing there though, which is also why the blog post is not really out yet, is the public API to consume it. So right now it’s kind of like the pages and you can just go and browse it manually. ⁓ So it’s there and it’s public, but it’s not really linked yet from anywhere. And so it’s still kind of flying under the radar, but we’ve been collecting data for almost a year now, I guess.

Josh Bressers (15:59) Wow. And and you do note in this post things like ⁓ denoting if MFA was used when a package is uploaded. I mean, that’s an example, right? Where i in and like this is something I could see Aki I’m sure Aikido’s using this already. But you know, if if every version of a package is updated with MFA enabled and all of a sudden there’s one that isn’t, like, what’s going on? I mean, granted, it could be a mistake.

Jordi Boggiano (16:06) Yes. Exactly. Yeah.

Right, right. that’s

exactly the kind of pattern that you can do if you have a public log and you have an API for it. You can start measuring this and just notice if anything out of the ordinary happens. So yeah, that’s the goal. I think for now, already for us, it’s been an amazing resource for just investigating stuff.

So, you know, whenever something happens, you can go look into it and see exactly when a version was added or deleted or, you know, just like.

Josh Bressers (17:03) deleted, I suppose. Right. Cause when you delete something they often just vanish from the registry and no one has any idea what’s going on.

Jordi Boggiano (17:10) Yeah, so that’s something we pushed out, I think, last week is finally having immutable releases. So you cannot delete them anymore. You can only soft delete. You can soft delete them so they’re pulled from the registry. The clients don’t see them anymore. But on the website and the UI, you still see them. You just see them as like a nice try through kind of thing just to say, there was a version that’s been pulled. ⁓

Josh Bressers (17:18) Yes. like not at all?

Okay.

Jordi Boggiano (17:40) but you cannot republish it. So, I mean, you can republish exactly the same version like undeleted, but you cannot override it with something else, which has been done a lot in the past. that’s something like we saw it actually was one of those, one of the two bad malware incidents we had in the last few weeks. They just retagged a bunch of old tags and.

Josh Bressers (17:43) Right, right, good.

Jordi Boggiano (18:10) And so suddenly you have things which looks the same as before, it’s the same as before plus some evil stuff in there. And yeah, and so this, think is really great to say, okay, that’s just not possible anymore. if a version is out, it’s out as is and that’s it. And so an attacker could publish a new version, but that’s already a lot less confusing than like changing the history. ⁓

Josh Bressers (18:10) Yep, yep.

Yeah, yeah. The attackers love doing that.

Yes. Yes.

Jordi Boggiano (18:39) And so far, think nobody has complained yet. ⁓

Josh Bressers (18:44) All but only

attackers use that. Like I feel like there’s no reason.

Jordi Boggiano (18:47) Yeah, no, so

I would think so as well, in effect, like, because we, so I think we deployed this last Friday or Thursday and within a few hours I had already in in the audit log, like you would see, cause we keep track of that. So if you try to republish a version, we just keep track of it in the audit log, just to say, Hey, there was an attempt to republish something. didn’t do anything, but it’s just to keep track of it.

And yeah, there were sure enough, like already a few packagist that tried to do something. And I think it’s just, you know, people often like, because the way this works in currently with packagist is that the publishing process is really just we pull from Git. So publishing is very easy. You do a Git tag and you push it. We get a notification from GitHub or whatever.

platform you’re using. And we go and pull the repo, pull the new tag and make new release for it. You don’t have to do anything else than just a git tag and push. So what happens is people push a new tag and then they’re like, ⁓ crap, I forgot to edit that thing. And then they go and fix it and they just retag. Delete the tag, retag it, force push, whatever. Whatever is what’s in the mind of the person doing it.

The problem is in reality, you have already systems like Aikido or like private packagist or like, I don’t know what else that the instant version is pushed, they go and fetch that. They synchronize that. And then five minutes later you push again, cause you’re like, nobody used that. It’s only been five minutes. Well, you know, a bunch of stuff goes wrong then because you’re like split brain across the whole ecosystem.

⁓ So yeah, this has actually an effect which is sometimes really bad. So that’s why we’ve been meaning to block this for many years. And now it’s just with the first instances of malware really hitting us, we were like, okay, let’s just do this now.

I’m glad we have it shipped now because it’s much better like that, I think. mean, GitHub also moved to this optionally mutal releases a few months back. That’s same concept, right? Yes, yes. Now we just enforced it. Because we know all the big packages they already do it correctly because they know and they’ve been bit by this that…

Josh Bressers (21:21) GitHub is optional. Like you’re not optional, right? Okay.

Jordi Boggiano (21:37) Once you publish it, you can’t republish it. Otherwise, someone’s going to complain. The smaller packages yes, you can fly under the radar there mostly, but they’ll just have to learn to live with it. You just retag with one number more. It’s not a big deal. Exactly. You’re not going to run out. It’s OK.

Josh Bressers (21:43) For sure.

Yeah. Right. We have plenty of numbers. It’s fine.

Nice,

nice. Okay. So I want to ask about that. So in your blog post, in your longer term direction section, you have I mean, related to this, you have ⁓ it says package and I don’t understand what this means really, so I’m really interested. it says packagist.org hosting immutable build artifacts directly with salsa build provenance and sig store attestation verified on the composer client side. I’m curious what what what that all means. Because you just said you’re put just pulling tags out of GitHub. So what did like what’s the build? What’s going on?

Jordi Boggiano (22:15) Yes.

Yes.

Light.

Yeah, so that’s, I think that’s, it’s one of those where, you know, you see the blog posts and when I said like we did that in the last two weeks, like this blog post is definitely like at least five years worth of brainstorming and discussions, right? So, so this is not just something we came up with. No, no, no, but it’s just, yeah, it’s a lot of.

Josh Bressers (22:38) Yeah, yeah.

yeah, for sure. For sure.

Yeah, no one’s gonna hold you to any of this stuff. Yes.

Jordi Boggiano (22:56) It’s a lot to digest and it’s a lot to do as well in the future. ⁓ So what this means, so the current state is we pull the tags and then we tell the client, so composer to go and download from GitHub, GitLab or whatever hosting backend you have. And so we just pull from there the zip files for that one Git reference.

You take the commit hash and we just go and download that. So this works. mean, this has served us really well for 15 years. It’s been great bandwidth wise because we don’t need to serve the bandwidth. ⁓ So that’s, it’s a solid system. And I think it has really the beauty that what you get installed is actually what you see in the Git repo.

which compared to NPM or a lot of other ecosystems, but I think NPM in particular, you have really a build system where often you have the source and then the resulting package looks completely different because you cross build it for like ESM and whatever, all types of modules. And so this makes…

Josh Bressers (24:08) Yes.

Jordi Boggiano (24:22) I think security-wise, it’s just much easier to smuggle some dirty stuff in there because the build is not very transparent. You just download this asset and you have, like, if you go look at the git repo you have no idea if that really matches what you downloaded. So in a way, if we want to do, like, signing of packages and

Josh Bressers (24:31) Yes.

Jordi Boggiano (24:50) So all this like build provenance means really you have.

is to try to address that problem, right? It’s to say, have ⁓ this build system like the CI on GitHub Actions. It runs this workflow, and ⁓ it outputs that file. And then GitHub Actions will sign it, and you get this ⁓ build attestation.

And this you can sign and push it into Sigstore and then verify the kind of, you sign the archive, you sign the attestation and you have this chain of things. then Sigstore is kind of just a public record then of signatures. So you can go look into that and it’s like immutable and you have some mechanisms as well to verify that externally. So that’s kind of like the…

the overview here. So if we want to do that, then we need to allow people to build and then push the zip to us. And so we end up in a way, in a situation which is less secure, I would argue, because you have then this build process in the middle, So that’s the one thing which I’m not a fan of, but we have to see. think one first step we could

Josh Bressers (26:11) Yeah, yeah.

Jordi Boggiano (26:21) good tech is that we do the builds. So we just download the zip archive from just run a git archive ourselves basically, right? Which is what GitHub is doing, or we even download it from GitHub and we just archive that, sign that, et cetera, and not let the project do any kind of weird build steps in the middle. ⁓

Josh Bressers (26:45) Yes. Yes. And this is

it’s amusing you say that, ‘cause that’s what I assumed you were meant by that line, because I talked to I I talked to someone from the F Droid project a couple episodes ago, and like this is part of their thing, right? It’s very like Linux distro like, where they do the builds in their environment, not for security necessarily, but more for just like stability and sanity of these apps they’re publishing. And it is amusing because I feel like the Linux distros did this and then

Jordi Boggiano (27:03) Mm-hmm.

Mm-hmm.

Josh Bressers (27:14) All of the package registries like, Whatever, nerds, we don’t need to do that. And I think they’re all now being like, Hmm, maybe that was a good idea.

Jordi Boggiano (27:22) Well, yeah, I think it’s difficult. Based on the languages, it’s not always feasible. I would say in PHP, this is fine because you really don’t need this build step because the build happens at runtime on the fly. The language, the interpreter will just take the file, compile it, and run it on the go. So you don’t have really a binary that you need to output or like, you know.

Josh Bressers (27:29) Yeah, yeah.

Right, right.

Jordi Boggiano (27:51) Like in JavaScript, we need to build things in various ways that it’s consumable for by the…

by NPM and by just the various browsers and various targets you have there. So I think we’re lucky in that way that we can actually afford to just say, yeah, we don’t need a build step. I think for some people, a build step would still be beneficial. Like there are some dev tools mostly that kind of ship, ⁓ much like Composer does actually.

ship these PAR files, are like PHP archives. It’s essentially, it’s just a zip file with a bunch of PHP files like glued together. But so you have like all the dependencies in it, et cetera. And so that’s as close as you get to a binary in the PHP sense. But so I think we might allow it at some point, but I would say it’s

Josh Bressers (28:41) Yeah, yeah.

Jordi Boggiano (28:58) It’s good if we come from the other direction and say, but the default is you don’t have that. And if you need weird stuff, like if you need a build step, then we probably want to flag that on the package page, like to say, hey, this package is altering stuff in a way. And then you need to be a little bit more cautious.

Josh Bressers (29:21) That’s fair. That’s fair. Okay. Time to land this plane, my friend. So like tell me what the future of all this looks like. Cause you said you’ve been doing nothing but security for two weeks, which is obviously not going to sustain your business for very long. So I’m curious like what you envision, how you weave some of this in over time, what we can kind of expect. Just I’m i the floor is yours.

Jordi Boggiano (29:46) Hmm. So I wish I had a clear roadmap. somehow, so what’s been happening, I think, really, of the last few months is that you’ve had more and more attacks. I mean, you’ve seen this, I’m sure, on all the ecosystems. Like, it’s been finally biting us as well a little bit. But just overall, it’s like there’s almost this daily new

Josh Bressers (29:51) That’s fine.

yeah.

Jordi Boggiano (30:16) new strain of Shai-Hulud or whatever hitting NPM. like, it’s you know, it’s completely out there. In parallel to that, have, thanks to these new super advanced LLMs doing security scanning, you have more and more just audits happening and security reports for like vulnerabilities of.

various amounts of severities. Most of them are not so bad, so okay, but still you get new reports all the time. so, I really feel like there’s this acceleration thing going on the last few months where it’s just, it’s not on a super sustainable track where just like everything you try to do is you just get sidetracked.

Josh Bressers (31:07) Yeah, yeah.

Jordi Boggiano (31:13) Like on a daily basis, I feel like there’s always something coming in and going like, well, no, not today. You’re not there. So I feel like talking about the future, I don’t even want to go there because I have no idea what we manage when. yes. OK.

Josh Bressers (31:21) I I know, right?

That’s fine. Okay. So I’m going to do it for you then. So here’s what I’m seeing,

right? Is you mentioned the madness, right? Where you think you’re going to do something every day and you wake up and it’s like, everything is on fire over here. So I’m going to go fix that thing. And there is a lot of short term firefighting happening across this real just across the industry. I won’t even say security industry, because this is affecting everyone at this point, right? But

Jordi Boggiano (31:41) Mm-hmm.

Mm-hmm.

Yeah.

Josh Bressers (31:58) The things you have and the reason I was so excited about your blog post is these are systemic fixes, right? These are things that will deal with entire classes of problems. These aren’t like, we’re gonna fix this one package. We’re gonna, you know what I mean? And now multiply that times a a billion or or whatever. There’s like an ungodly number of open source things out there. Versus saying, you know, we’re gonna turn on MFA. You know, we’re going to make the tags.

Jordi Boggiano (32:17) Yeah.

Josh Bressers (32:27) immutable or releases. I’m sorry in your case. Immutable. You’re you’re talking about, you know, just i enforcing the the malware detection where it’s just you can’t install it. No quite you know what mean? Like those are the kind of steps I think every package registry needs to like put some serious thought into. And you’re going to break things for some people. But the reality is like the danger of not fixing these things

Jordi Boggiano (32:38) Mm-hmm.

Josh Bressers (32:53) vastly outweighs the pain and suffering a a small number, hopefully small number of users will suffer.

Jordi Boggiano (32:55) Mm-hmm.

Yeah, No, think so. Next step for us, I know like the close future, let’s say, is working on ⁓ organization ownership of packages Because until now we had just like maintainers, you know, as a user, you create your package and then you can add another user to it. But then you end up in a very messy situation there where ⁓ just, you know,

Josh Bressers (33:15) Yes.

Jordi Boggiano (33:31) bigger projects that have like 100, 200 packages it’s very messy for them to manage this like one by one. Then they tend to share credentials, they can’t easily do MFA. you know, you have this chain of problems. And so it’s really like for us, think having organization ownership will unlock a lot of stuff.

And so yeah, think once we have that, can start enforcing MFA for the popular packages at least.

there’s just lots of dependencies on that thing. so I’m hoping that ships in the next few weeks slash months, it’s quite a chunk of work, with all the permission management, cetera, but, and migration as well.

Josh Bressers (34:11) Yes.

Jordi Boggiano (34:27) like we need to somehow find good ways to migrate the existing into that. Yeah, yeah. But I think, this should allow us to do really a lot of things. And then the whole hosting archives or sales will also unlock a bunch of stuff. But that has discussed. If you want to do this securely, think it has a lot of dependencies as well.

Josh Bressers (34:35) Yeah, good luck with that one, man.

Right,

that that’s a whole different problem. Wow.

Jordi Boggiano (34:59) I think one thing we realized would help a lot is something which I think NPM published last week as well, think. Stage releases. I don’t know if you’ve seen that. So that’s really just in short…

Josh Bressers (35:12) Yes.

Jordi Boggiano (35:17) the concept of saying, okay, you release something, but then you need to go either via API or via the website. You have to go and use a second factor authentication to push out the release to the world. So you have a staged release step before you actually release it in the wild. And I think this would help really. ⁓

Josh Bressers (35:40) Yeah, yeah.

Jordi Boggiano (35:44) to really put a huge break on at least for popular packages to say, hey, if you have just thousands and thousands of people installing your stuff every day, then you need to go through this extra step of like going on the website and clicking a thing that says, you’re true. I’m here, I’m a human, I wasn’t hacked. And I still have my hardware key and.

And I think that just really puts a huge improvement into the whole system, like security-wise. And especially it prevents all these automatic spread of worm-like behaviors where, yeah, sure, you have access to this account, so you can start pushing releases there, and then you get access to the other account, and then this chain of hacked.

Josh Bressers (36:23) Yeah, yeah.

Jordi Boggiano (36:41) github accounts which is really bad.

Josh Bressers (36:43) I know, right? All right. All right, Jordi. This is fun, man. I’ve learned a ton. I am excited to see the work your crew does over the next probably well the infinite years. This will never end. But this is awesome. I mean, thank you for the time. Thank you for the work. You know, I know how much effort this is and and you’re you’re doing amazing work here. And the fact that you’ve you’ve put all this together just gives me the hope I need.

Jordi Boggiano (36:55) Yes.

⁓ Thank you.

Josh Bressers (37:12) And I feel like isn’t around for many of us on a daily basis. It feels pretty dire. So yeah, just I mean, thank you so much for for everything. I appreciate it.

Jordi Boggiano (37:22) Sure, most welcome. Thank you for having me. It was fun. Yeah.

Josh Bressers (37:26) Yep, until next time.