Extinguish what exactly? Are people publishing packages to anywhere other than npm, and maybe GitHub? Microsoft already owns both of those, so there is nothing to extinguish.

It's not clear what you're worried about, and I'm skeptical you can articulate it, because it makes no sense.

And I say this as someone who is an extremely paranoid anti-corporate crusader, just like I imagine you are. But in this instance, your worry is misplaced.

My thinking is that the path goes thus:

- build on the record of supply chain compromises in npm to justify a provenance system

- establish yourself as one of the trusted authorities on establishing provenance

- spread fear and doubt about untrusted software

- become the trusted source and supplier of software

- open source becomes synonymous with untrusted software, basically malware

- in microsoft we trust

I think microsoft's land grab over open source software was pretty clearly established when they bought github and the general attitude of "they're nice now, it'll be fine" is going to be judged harshly in the future. Or I'm a paranoid crank with a misplaced mistrust of microsoft, who didn't declare "linux is a cancer" or anything like that.

I understand that line of thinking, but what land are they grabbing? They already possess all of it through npm and GitHub.

Do you think they intend to exclude caches like yarnpkg.com as insecure? I don't see how they would do that, since (1) your cache is a local config variable, not part of package.json, so there's no static analysis that could mark packages downloaded through Yarn as insecure, and (2) all of the key signature metadata is publicly available, so any cache or alternative package manager can implement the same provenance features as npm.

Or are you worried about EEE of the upstream source repositories and CI runners, eg "only packages built through GHA platform can contribute provenance data to npm registry?" I guess I could see that as a more reasonable fear, but as someone else explained to you, it's also unfounded (at least for now - which is maybe your argument), and GitLab is currently working on their own implementation. But even if they tried that, then you could still publish and consume packages from another registry if you wanted to. And I'd like to think that if Microsoft made a hostile move like that, we could count on package managers like yarn to pull provenance data from other sources.