[GoLUG] Writing an internet server

Barry Fishman barry at ecubist.org
Fri Aug 22 15:13:51 EDT 2025 

On 2025-08-21 22:24:16 -07, Ron wrote:
> Barry Fishman wrote on 2025-08-20 18:19:
>
>> Do we really need to have 3.1+ million packages without any curation
>> as the repository used for all JS development?
>
> Probably not.
>
> But, what's the limit at which no new packages should be allowed though?
>
>
>> Couldn't independently reviewed repositories exist, to people
>> building websites could have some validation that the software they
>> use has had at least some vetting?
>
> Sure, but who's going to pay for that?

Who is paying for all the damage that is being done to sites that have
been burned by JS's lack of validation.  Who are continuing to use these
packages without certification.

As long as we refuse to deal with actually solving problems, rather than
by passing the responsibility around, things are just going to get worse
and more expensive for everyone.  We know the answer to your question.
We just refuse to hear it.

>> Files uploaded to CPAN are NOT manually inspected. Of course we will
>> be very interested to hear if some file contains nasties like Trojan
>> horses and/or virii, but CPAN takes no responsibility for the
>> contents of CPAN or what they might do.
>
> https://www.cpan.org/disclaimer.html <-- about 35,000 packages
>
> Pypi:
> 	All of PyPI 	29.4 TB
> 	7,309,158 releases
> 	669,658 projects
>
>> The Python Packaging Authority (PyPA) is a working group that
>> maintains a core set of software projects used in Python packaging.

> Looks like Py.PI has a curated core group of packages?
>
> But ~30 TB of data ... in well over ½ million projects? No one is
> curating all that.

At least under Linux, most users of these packages get them though there
OS vendor, who have a pool of volunteers selecting what gets included in
the distribution, and overseen by trusted gatekeepers.  Problem packages
get passed these gatekeepers occasionally, but someone in the security
community usual finds it and it gets weeded out or fixed.

Why this is such a problem with JS is because the code actually being
used on internet sites is not visible, or how often it is updated.  Each
site is managed by a small team of overworked developers, who are
evaluated on how quickly they get things implemented and not how they
get it done.

What do you expect?

-- 
Barry Fishman

More information about the GoLUG mailing list