Comments (6)
I am not sure if this issue here is the right place to discuss this - since security is always an ongoing concern and also a process. Perhaps this is part of a larger security discussion that can happen on discourse?
from general.
it boggles my mind that things would align such that this issue would be closed in this way, but i'm also just like, disillusioned that something so obvious can just sit here untriaged for months, so leave it closed noone cares.
this is even more relevant now that work on registrator is like, seriously ramping up and so much of that code is harshly and tightly bound to github. if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better. just wanted to be on the record saying "I was thinking about this at one point" in case shit goes wrong for y'all.
from general.
This is not the right place for this issue, which is why it didn't get any attention. When in doubt, post to discourse.
Is this registry appropriately protected against these sorts of problems?
Yes. We don't give out any access tokens to this repo. Very few people have commit bit here and the process of updating it is both automated and secured. Package authors do not need to have any privileges here, but they must have demonstrable privileges on their package repos.
Is there any work that needs to be done to make things safer?
One thing that occurs to me is requiring everyone who has access to this org to have 2FA turned on. I'll do that right away. (Done.)
if the issue tracker isn't somehow a suitable place to track an issue in the design space of a package registry i dont understand how moving the discussion to another forum is going to be any better.
It's pretty simple: this is not the place for this kind of issue/discussion. If you open this kind of issue here, it may get overlooked as it did when you opened this issue in the first place.
from general.
i will gleefully pretend that i should have gone to discourse and that i'd have gotten better results there insofar as like, the other issues have plausibly actively been considered now. go team :D
from general.
its just like, no docs on where the right place to ask the questions u need answered are, and when u go to presumably the appropriate space the most important thing is like, yachts and not other cited scholars talking abt harmful discourse. i get it. reading links is a chore. telling people where you'll ignore them next is way easier
from general.
i'm pretty certain tho that im generally miffed that a language thats posed as essentially greedy, with infinite possibility over an unimaginable lattice of types is also like, at the same time run in a seemingly miserly way? very not greedy strategies to what is essentially a very powerful greedy technology. hard to shake the feeling that like, there was a bill of materials and i forgot that there was also no warranty
from general.
Related Issues (20)
- new package --> new contributor?? HOT 5
- Failing to register due to wrong version chosen for libblastrampoline_jll HOT 2
- Package published but not found HOT 1
- Are packages with British spelling disallowed (they should) HOT 1
- Delete registery for "CommonHighlight" HOT 1
- Manual PR for a package that moved to a subdir in a repository? HOT 3
- Package registration CI for new version stuck HOT 2
- Clearer when-to-register criteria
- The FAQ link in the Contributing guidelines is broken.
- move examples to the Optimizers.jl interface HOT 2
- HTTP/2 502 while requesting https://pkg.julialang.org/registries HOT 2
- Your `new package` pull request does not meet the guidelines for auto-merging. Please make sure that you have read the [General registry README](https://github.com/JuliaRegistries/General/blob/master/README.md) and the [AutoMerge guidelines](https://juliaregistries.github.io/RegistryCI.jl/stable/guidelines/). The following guidelines were not met: HOT 1
- Retrigger Registrator HOT 1
- Manual Merge HOT 1
- Unsatisfiable requirements detected for package CamiXon [e90a53f3] HOT 4
- Create CI status for StorageServer caching
- Time to start subdividing within letters `S/o/SomePackage.jl` etc HOT 3
- URL change TMLE.jl
- Unable to register: Version v0.1.0 already exists
- Packages without current source of licenses HOT 18
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from general.