Security in Julia Packages

How does Julia insure that packages are not compromised by bad actors? Case in point an article that I read stated that pypi contained 50% of its packages with security vulnerabilities ( About half of Python libraries in PyPI may have security issues, boffins say • The Register). If a user wanted to use Julia on a government required security level server system, what would need to happen to insure that the security level is being met?

According to the README of the General Registry - which is the one used by default for Julia packages:

The General registry is not a curated list of Julia packages. In particular this means that:

  • packages included in the General registry are not reviewed/scrutinized;
  • packages included in the General registry are not “official” packages and not endorsed/approved by the JuliaLang organization;
  • the General registry and its maintainers are not responsible for the package code you install through the General registry – you are responsible for reviewing your code dependencies.

Therefore, no guarantee at all. For what might be worth, though, a big amount of packages are hosted in Github repositories, and they may have enabled security policies (cf. Code security - GitHub Docs, and the “Security” tab in the repository pages).

This is one of the reasons-for-being for JuliaHub — both technically (e.g. support for airgaps, package disallow lists, etc) and administratively (e.g. SOC 2 and other controls).