[GoLUG] Writing an internet server
Ron
ron at bclug.ca
Fri Aug 22 01:24:16 EDT 2025
Barry Fishman wrote on 2025-08-20 18:19:
> Do we really need to have 3.1+ million packages without any curation
> as the repository used for all JS development?
Probably not.
But, what's the limit at which no new packages should be allowed though?
> Couldn't independently reviewed repositories exist, to people
> building websites could have some validation that the software they
> use has had at least some vetting?
Sure, but who's going to pay for that?
One can download packages, review and validate them, and host them in
one's own local repo. It's a lot of work though and partially defeats
the whole point of software libraries.
But most public repos aren't curated:
> Files uploaded to CPAN are NOT manually inspected. Of course we will
> be very interested to hear if some file contains nasties like Trojan
> horses and/or virii, but CPAN takes no responsibility for the
> contents of CPAN or what they might do.
https://www.cpan.org/disclaimer.html <-- about 35,000 packages
Pypi:
All of PyPI 29.4 TB
7,309,158 releases
669,658 projects
> The Python Packaging Authority (PyPA) is a working group that
> maintains a core set of software projects used in Python packaging.
Looks like Py.PI has a curated core group of packages?
But ~30 TB of data ... in well over ½ million projects? No one is
curating all that.
I don't think DockerHub is curated either.
Nor Github.
One can avoid non-curated repos by writing all the code oneself, but
that's impractical. It's recommended to be careful about selecting
libraries that have significant numbers of installs.
It's a tricky problem without simple answers.
More information about the GoLUG
mailing list