Question about closed-source API packages

I recently released SAMaDB.jl (South African Macroeconomic Database API) and published it to the General Registry (General/S/SAMaDB at master · JuliaRegistries/General · GitHub). After publishing I made the repository private again because the code contains credentials to access a relational database. The credential in effect cannot be used to do anything harmful, but I did not want to make it very easy to find them by putting them into a public repo. I am now wondering: can you guys install this package using Pkg.add(“SAMaDB”)? It seems to me the source code for the package has not been copied into the General Registry upon release, so the package might only be installable by someone with access to the repo?

Yes, the package is available because it got archived by the package servers upon registration. The current policy of the General registry is not to permit the removal of published packages, so I would recommend rotating those credentials.

7 Likes