On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems

Abstract

Dependency graphs show where released code can flow, while leaving implicit whether the public path used to publish a release changed. We introduce a predecessor-aware release-authority record that compares each package release with its immediate predecessor across publisher, repository, workflow, provenance, signing, and mediation evidence. We instantiate the record over a purposefully sampled, audited April 2024--June 2026 cohort from npm, PyPI, Maven Central, crates.io, and RubyGems: 45,812 releases, 43,100 eligible predecessor comparisons, and 942 package coordinates. Go is reported separately as a VCS/proxy/checksum-log boundary adapter. Transparent rules identify 204 policy-triggering public release-path discontinuities. The exact trigger policy is the primary candidate queue. A uniform semantic-distance rule selects 320 releases and covers 190/204 triggers; a descriptive regime-specific rule selects 337 releases and covers all 204. In a blinded 60-row shared core, three practitioners rated 20/30 triggers as immediate review, 9/30 as monitoring, 1/30 as no review, and all 30 controls as no review. These signals are review cues over public release-path evidence. Exact malicious versions in our external alignment have zero overlap with the policy triggers. Same-path compromise, unchanged compromised CI, and versions absent from public snapshots require separate evidence beyond this release-path record.