💾 Archived View for d.moonfire.us › garden › untrusted-packages captured on 2022-07-16 at 15:22:04. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
The open-source ecosystem is huge with thousands upon thousands of developers creating billions of projects across multiple languages. Most of the time, these packages are pushed up to a centralized sites for discovery and download with no human oversight.
This is the crux of the problem. As an ecosystem acquires more packages[1] managed by self-serve[2] systems, there is always a risk of a malicious developer[3] creating a package to benefit them in some manner. It might be stealing information, protesting current events[4], making money[5] or simply just to destroy. But those individual packages are difficult to detect, more so when other developers are mandated with keeping packages up to date or the package itself is nested as dependency of another one.
3: https://psychopathyis.org/stats/
4: https://www.theregister.com/2022/03/18/protestware_javascript_node_ipc/
What this plot[6] is to list one possible approach to handling this problem, along with some suggestions and next steps, because complaining about a system without coming up with a system isn't very productive. Naturally, if this is productive, then it would be an attempt to create a standard[7] but one that I think needs to be done sooner or later, by someone's method or another.
7: https://www.explainxkcd.com/wiki/index.php/927:_Standards
Categories:
Tags:
Below are various useful links within this site and to related sites (not all have been converted over to Gemini).