Not sure if this fits in here exactly, but it seems close enough: There is a bunch of “official” or at least “official looking” (???) GitHub organizations in the Julia ecosystem. Some I am aware of:
and certainly many more. Some of them specify https://julialang.org/ as their homepage. Some people will give extra credence to these orgs and content below them because they “seem” official, i.e. endorsed by the Julia team. But are there? In reality there is no way to know.
I was suggesting to some people to use https://github.com/bcbi/CompatHelper.jl but they refused because they “don’t like running foreign code on the repository (which gives plenty of access permissions). TagBot at least belongs to the JuliaRegistries organization.” . While I don’t agree with this assessment (
bcbi to me is not more less trustworthy than, say
julia-action), it made me wonder…
What is stoping me from registering the org https://github.com/JuliaActions and putting the content of https://github.com/julia-actions there, but with some nefarious extra bits inserted? And then also a copy of CompatHelper, and some other stuff… and then I convince people to switch to it. Not sure I could actually do harm with this, but it still seems problematic.
So, some questions:
- Are there any “officially endorsed” (say, by the Julia stewards) GitHub organizations beyond < https://github.com/JuliaLang>?
- If so, which are they, and how can one find out?
- If there are others, perhaps they could be marked as such by stating this in their description, and perhaps by also adding a “verified domain name”.
- If there are none, resp. if not all of the above are “official”: Maybe they should be asked to not list https://julialang.org as their homepage?