Thank you for your response.
Although it does not, strictly speaking, answer my question about my concern to be relevant.
I do not really understand what you consider to be “extreme vetting”. If you actually review the source code of a given Julia package update, it may be the very first external look to it, isn’t it ?
I guess I thought it was implied by my comments that yes, I do believe your concerns to be quite relevant,
which is why I described the techniques we’d used to deal with them.
Ok, thank you again. I think that most of attacks remain silent and a malicious package can pass the functional tests. What do you think about peer reviewing ?
This is definitely something that many of us have been thinking about, but I think your audience here is limited. Could you start a new thread over in #user?
OK thank you,
I wrote this because I asked the same question in another thread a few weeks ago (Pkg security question - #12 by LaurentPlagne) with no response.
I will create a specific thread.
I’ve been pushing the idea (not originated with me, there was a discussion on GitHub, with Stefan, Tom Breloff, and others, some time ago, 2 years ago maybe?) of using Julia orgs to have their own curated registries of packages in their area(s) of expertise).
I’d also require some number (3?) of members of the org to review and approve the package, never let people merge their own PRs (seen too much breakage when that is allowed - becomes the Wild West).
I agree with this. Sidestepping flamewars, many argue JavaScript is horrible. Many argue node.js and the philosophy of small stdlib with ecosystem of small packages is ideal. It certainly has not stopped the JavaScript world having such an package ecosystem.
There is also no guarantee that technically amazing programming languages will find wide adoption versus PLs less well suited to the solution space.
“New Jersey Approach” versus “MIT Approach” is real and there are many real-world examples, though it’s not really measurable. The rise of Worse is Better. In fact, some camps explicitly adopt Worse is Better.
I like the idea that Julia is the next Julia. Don’t fit the language to the narrative, fit the narrative to the language.