Untrusted Packages (v0.0.3, 2022-07-17)

The open-source ecosystem is huge with thousands upon thousands of developers creating billions of projects across multiple languages. Most of the time, these packages are pushed up to a centralized sites for discovery and download with no human oversight.

This is the crux of the problem. As an ecosystem acquires more packages managed by self-serve systems, there is always a risk of a malicious developer creating a package to benefit them in some manner. It might be stealing information, protesting current events, making money or simply just to destroy. But those individual packages are difficult to detect, more so when other developers are mandated with keeping packages up to date or the package itself is nested as dependency of another one.

What this plot is to list one possible approach to handling this problem, along with some suggestions and next steps, because complaining about a system without coming up with a system isn't very productive. Naturally, if this is productive, then it would be an attempt to create a standard but one that I think needs to be done sooner or later, by someone's method or another.