I read a couple of times that “people” tend to trust registered packages. Where does the difference in trust come from? Is a registered package checked for harmful code?
Do I miss a point?
My understanding is that registration confers no special security accreditation to a package. There are more eyes on making sure things aren’t going to break other packages, and that the requisite configuration / dependency-specifying files are in place, but to my knowledge no code review is performed (at least a code review that looks at security implications).
The trust that people place in registered packages probably stems from the fact that it’s easy to see how many other packages depend on them (via Julia Observer, for example), and the risk calculation that the more widely-used a package is, the less likely it is to deliberately misbehave.
Edited to add: there’s a great (if often quiescent) channel in Slack called #pkg-trust that might be of interest to you and others wishing to discuss this and related issues.
9 Likes
The checks for automatically registering a package are fairly basic. It has to be able to automatically be installed and loaded.
FWIW, none of my registered packages show up on JuliaObserver.
2 Likes
One small bit of trust could be that if a registered package was found to have malicious code, the version would be removed (“yanked”) from the registry, so at least you know packages from the registry aren’t known-malicious (which maybe could be different from some git repo found elsewhere on the internet?).
1 Like
No, registered packages are not checked in detail. You may be interested in
2 Likes