Hacker Read

fooey · 2017-08-01 20:59:00+00:00

For starters, packages should probably be considered non-transferable. If someone buys a package, they shouldn't keep the existing rankings and ratings.

It would be challenging to be proactive about it, but it was be a clear solution when they get caught.

reply

zardeh | karma 342 | avg karma 1.94 · | 2016-06-08 12:25:06

I feel like "pick the more popular package" is a good enough solution in this case.

rowanG077 | karma 2770 | avg karma 0.92 · | 2022-11-18 12:17:21

I would never expect them to do that without vendoring the package. Which mitigates that risk.

johnmaguire | karma 3292 | avg karma 5.65 · | 2021-05-25 12:23:26+00:00

Not to mention if the package name itself changes...

sebazzz | karma 3584 | avg karma 2.19 · | 2018-03-19 12:32:07

Yes, but they don't enforce it for new packages.

joshuamorton | karma 7432 | avg karma 1.4 · | 2018-12-19 02:59:51+00:00

At least with most packages this can't happen anymore.

If a package owner distributes a wheel, you're good. Most packages do now.

reply

joelhaasnoot | karma 1724 | avg karma 2.11 · | 2011-11-23 07:37:56+00:00

Exactly, so all you could do is trigger certain bundles to be 'unlocked': you would always have to ship them.

nextos | karma 10746 | avg karma 3.92 · | 2015-04-20 15:38:41

I agree, but I see them as a patch to get something that could be more cleanly achieved with a transactional packaging system.

kyriakos | karma 4430 | avg karma 1.83 · | 2019-09-28 18:56:23+00:00

The problem is that no one reviews what goes in the package registries. Unless someone spots the security issue it goes unnoticed and unfixed. Particularly true with new and not very popular packages.

To be fair to the author though this package won't take more than a couple of hours review quickly for potential back doors and if you just want one data structure it's at most in 3 files.

reply

mrcode007 | karma 614 | avg karma 2.5 · | 2023-09-16 16:02:23

I know. Yet most folks take packages at face value as if it was a part of some standard library.

charcircuit | karma 2002 | avg karma 0.38 · | 2022-03-31 05:56:53

apt deciding it should yeet essential packages is not a new thing and has happened many times to many people.

qwertox | karma 7266 | avg karma 3.7 · | 2024-01-08 06:15:53

But they should have a repo or something where you can get the sources of individual packages. Else it's a bit shady.

senko | karma 6747 | avg karma 5.7 · | 2023-01-01 13:22:57

That's an interesting idea!

A "vetted" package index that charges subscription and splits the revenue with package maintainers. In return, maintainers agree to jump through all the extra hoops and index maintainers do extra verification (but still no warranty except that the standard procedure is followed).

The same package can then be uploaded to the normal index (as it is now), but without these extra steps, and no vetting.

reply

plankers | karma 653 | avg karma 3.02 · | 2022-03-13 06:30:48

even when you keep making new accounts and "losing" the packages!

sgdesign | karma 6607 | avg karma 6.06 · | 2013-05-08 03:51:51+00:00

Thanks for the feedback, I'm not that happy with "see the packages" either so I'll probably follow your advice.

sixbrx | karma 1117 | avg karma 2.01 · | 2019-08-02 13:39:52

Agree about that. And I'm not wild about the idea of having to do a special incantation before using the package system anyway, myself.

pjtr | karma 255 | avg karma 2.16 · | 2016-03-24 07:25:42+00:00

Your own mirror of third party packages is definitely the way to go. I'm continuously stunned this is not standard practice.

mixmastamyk | karma 12554 | avg karma 1.22 · | 2018-10-10 01:35:39+00:00

That would still be the case if the packages weren't 1-3 years out of date.

ZephyrP | karma 629 | avg karma 2.5 · | 2012-10-10 19:12:12

http://seclists.org/fulldisclosure/2006/Mar/130

Just some food for thought concerning package ecosystems.

reply

dalore | karma 2372 | avg karma 1.92 · | 2011-02-05 13:29:13+00:00

What if they were sold as a package deal?