💾 Archived View for d.moonfire.us › garden › development › untrusted-packages › self-serve captured on 2022-06-03 at 23:47:59. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Outside of a single developer or team, DRY[1] means that there needs to be a mechanism for discovering and using other's work to avoid repeating their work also. That is the basis of package ecosystems.
The ecosystem has three components:
The easiest way to implement these is to create a single service that does all three to showcase the packaging system which naturally becomes the go-to place to get packages. Almost always, that also means that most ecosystems consolidate (or never move beyond) a single source to provide everything.
That is our npmjs.org, nuget.org, and crates.io.
Since these are the showcases for the package system, they start with the need to bootstrap themselves and reduce the effort in producing packages for a new ecosystem. This means we get a self-serve system where any developer can upload a package for others to discover and use.
With continually development, packages are built on packages[2] that are uploaded by hundreds of different developers. Trying to review or address every single one would be overwhelming for individuals to perform on their own and there is little profit for most companies to do it. So, these packages get uploaded with little limitation and are made available as soon as they are.
That is where our malicious packages come in. It doesn't take much to upload one malicious package and have it dropped into place. For an mature package, that one package may be the foundation for countless other projects that touch every part of the globe.
That is how `node-ipc` and `left-pad` caused to much damage in so little time.
The retrospectives after those events lead to changes that slowed the influx of new packages or added the need to scan packages. That's how we got Dependabot scanning and why NuGet requires a SSL certificate to upload packages (and why I don't upload my C# packages there, I have been unable to afford getting one).
Below are various useful links within this site and to related sites (not all have been converted over to Gemini).
https://d.moonfire.us/garden/development/untrusted-packages/self-serve/