
Package verification using gpg (2015) - peterkelly
https://github.com/npm/npm/pull/4016
======
jessaustin
Haha 'othiym23 must be the most-downvoted person on GitHub. He is constantly
rejecting reasonable patches that make big improvements, because NIH. FOSS,
you're doing it wrong.

It seems possible that npm having been burning all their development cycles on
their new "community", which will allow them to reject patches and black-hole
the record of that rejection. TFA was "archived" yesterday, so the voting has
stopped, but it ain't a pretty picture. It will be so convenient when the next
major vuln comes up, people say "why didn't you accept that PR?" and 'othiym23
will say "what PR?" If you're not going to fix your shit, why not spend some
time building a GitHub clone so you can pretend that your shit is perfect?
They are inspired by Ballmer-era M$...

