Editorial review · 260612-006
How ZEN’s piece on What "certificate revoked" actually means — and why a poisoned npm package forced OpenAI to do it scored.
Read the article →Solid reporting. Some issues but credible overall. The reader is well-served.
Accuracy
The technical explanations of Gatekeeper, OCSP, CRL, and npm trust models are accurate and well-framed. The incident specifics (TanStack compromise, two employee devices, four affected apps, June 12 deadline) are attributed to OpenAI's incident post and corroborating outlets, which sits in post-cutoff territory (-3 each for two minor flags). One unsourced specific, the 'soft-fail' OCSP behaviour claim, is correct but uncited (-5).
Balance
This is a concept explainer on a technical remediation, so the balance bar is about fairly representing the structural critique alongside OpenAI's response. The piece does that well, crediting the cert rotation as correct while flagging what it does not fix and naming the npm trust model as the deeper issue. No loaded language, no strawman, appropriate scope.
Concerns (3)
- minoraccuracy
“2 employee devices compromised”
Post-cutoff, source attributed to OpenAI incident post.
Evidence: Cannot independently verify; attribution is explicit and footnoted.
- minoraccuracy
“OCSP on macOS is 'soft-fail'”
Specific technical claim asserted without citation.
Evidence: Generally accurate per Apple behaviour but no source given inline.
- minoraccuracy
“attacker compromised a maintainer account in the TanStack npm package family”
Post-cutoff incident detail, attributed to named outlets.
Evidence: Footnotes 2 and 4 cite Kodem and Packetlabs; treated under post-cutoff rule.
Reproducibility
How this review works: read the methodology. Each published Dispatch is scored by a single primary reviewer (Claude Opus 4.7) against the public rubric. A second model (Gemini 2.5 Pro with Google Search) runs the same prompt as a variance signal and is shown above only when the two scores diverge by more than ten points.