Authenticate packages by GitHub owner

[marktoda]

I think packages should only be pushable to the registry by proven maintainers. For example my library forge-gas-snapshot is in the registry, but not published by me and I'm unable to update it. I'm a bit concerned about supply chain issues where malicious versions of packages can be published at known but unclaimed names

Given github repository names are the current standard for package management, One way to avoid this issue is to authenticate with github to claim the name of an existing solidity package

[mario-eth]

Hey, I totally agree with you, i urged from the beginning all the maintainers to reach out to me to claim their packages. A middle solution was an alert saying that those packages are not maintained by the official maintainers.
It's not a way we want the packages to be pushed but until the official maintainers will claim the packages, there is nothing other than keeping high level of security around the central repository.
Please reach out to me on twitter mario_eth to see how we can transition the package into your account.
We will be working on a way to claim via github.

[marktoda]

interestingly my repo doesn't have the warning https://soldeer.xyz/project/forge-gas-snapshot

[beeb]

I like the way jsr.io is doing it, where you can link a github repo with the package in the registry and if you publish it from CI (it uses the repo's OICD ID to login), then you get a "transparency log" which attests that it was published based on the source you expect.