How to prevent others from submitting new packages to a publisher directory?

[kjxbyz]

How to prevent others from submitting new packages to a publisher directory?

For example: Microsoft is a company name. Many people think that if a package ID is Microsoft.xxx, it is a product developed by Microsoft, which will lead to a lot of malware.

[stephengillie]

Currently, the vigilance of community members is our best defense against this. The need hasn't arisen for an automated solution to be implemented. Were one implemented in the pipelines, it would probably have a list of PackageIdentifiers, and apply a label to the PR on match. The label might be Restricted-Publisher-Needs-Review and use the same or similar color as the Needs-Review This work item needs to be reviewed by a member of another team. label. Then, moderators could review the PR and remove the label if appropriate, to let the PR continue through the pipeline process.

[florelis]

There was a feature for requiring verified publishers to sign off on changes to their packages. Last I heard, the blocker for enabling it was finalizing the business process for verifying a developer.
#100 (comment)

[kjxbyz]

The publisher verification process is cumbersome, requires an enterprise account, and requires an enterprise-level certificate, and is not cheap.

For individual developers, small teams, or startup teams, the requirements are very high.

I hope to launch multiple solutions, of course, publisher verification is one of them.

Reference https://learn.microsoft.com/en-us/entra/identity-platform/publisher-verification-overview