Ecosystem break: ability to detect trusted publishing lost for staged publishes

[43081j]

Many tools in the ecosystem use the _npmUser of a packument to know if a package was created via trusted publishing or not.

When it is, the npm user is the oidc user.

However, now that staging is a thing - the npm user will correctly be the human who approved the publish rather than the automation.

This means there's no longer any way to determine if a package was published via oidc or not.

Due to this, many existing tools in the ecosystem incorrectly detect staged packages as decreasing in trust level.

E.g. this breaks pnpm's trust downgrade check which will fail some installs iirc

Npm is technically doing the right thing here, so the solution is probably to introduce new metadata somewhere to signal when oidc was used.

[ljharb]

That's a flaw in the OIDC implementation - _npmUser should be the human initiating the publish.

What's the benefit in knowing whether OIDC was used?

[43081j]

It's currently who triggered the publish - an automation. If you think it should be the human who triggered the automation, I can see some sense in that too, whatever works.

Either way, there's currently no way to know if trusted publishing was used or not.

To answer your question - something published through trusted publishing is seen as more trusted than a manually published package.

Whether we agree on that doesn't matter much. The tools and a large portion of the community do. So we need to fix it either way

[ljharb]

I thought pnpm's setting was about provenance, not about OIDC?

I agree that the tools and a large portion of the community are wrong - but that doesn't mean we need to fix it by enabling that incorrect belief. OIDC is just 1 factor, and packages published with it (not with staging) are and should be less trusted.

[43081j]

No it's about both.

A trust level decrease is a change on this scale:

None -> provenance -> trusted publish

I don't think we need to debate whether you agree with that scale or not. Previously, it was possible to detect if trusted publishing was used or not, and now it is not.

This means quite a few tools break with staged packages.

What people use that signal for doesn't really matter. It existed and now doesn't

Ideally there's a signal for all 3 in the data: oidc, staging, provenance

[ljharb]

It was never supposed to be possible in the first place.

It definitely matters if people are misusing the signal. It is always a perfectly legitimate decision for a maintainer to start using OIDC and then stop, or start using provenance and then stop, and it is actively harmful for tooling to treat that as a trust downgrade.

[43081j]

I'm not disagreeing if it matters about misuse of the signal or not. But it isn't for this issue.

A signal existed, now it doesn't. This issue is about reintroducing it (possibly in a more structured way).

How people use that signal doesn't matter in this issue.

I use it to show if a package used oidc or not, for example. Now I can't. Let's fix it.

[ljharb]

Since it's already being misused, it is empirically a bad idea to expose such a signal. The "fix" is to ensure that signal never is exposed in the future.

[43081j]

I disagree. npm itself shows when a package was published with oidc. It's generally just useful metadata to have regardless of trust.

But we won't get anywhere debating this. Each to their own.

Just like pnpm, I use this signal today and won't be able to anymore with staged packages. So I think we should reintroduce it.

Fully understand you don't and we don't need to debate that 👍

[ljharb]

It shows when it's published with provenance, not with OIDC.

[43081j]

It shows in the staging area when it is published with oidc, and some other places.

Let's move on 👍 your disagreement is noted and makes some sense from a trust pov. We can see what the team think