Weekend at Bernie's - Which of your dependencies are wearing sunglasses?

andrewnez@mastodon.social

Weekend at Bernie's - Which of your dependencies are wearing sunglasses?

Weekend at Bernie’s

Which of your dependencies are wearing sunglasses

Andrew Nesbitt (nesbitt.io)

mistersql@mastodon.social

@andrewnez I had a bot write skip-trace to try to track down who in the real world owns a package. A lot of the package repos
- don't care who owns the package
- want to protect privacy

Is Mr Anonymous dead? How can you know anything about someone you know nothing about?

#Pypi provides no messaging system itself. But does have a package takeover process that depends on messaging!

Client Challenge

(pypi.org)

djc@hachyderm.io

@andrewnez could I get access to the list of dead critical repos in the Cargo ecosystem (ideally in order of criticality)? Seems very relevant to my RustSec work.

donaldball@triangletoot.party

@andrewnez @bagder Maybe worth observing that there are mature language ecosystems (clojure, elixir) where folk are culturally quite careful about dependencies, and often times a package not being changed for years is a sign not of abandonment, but that the package is finished.

andrewnez@mastodon.social

@donaldball @bagder if you read the post you’ll see that I definitely consider that, it’s about how responsive the maintainers are, not just how often they are committing/releasing

aerique@genart.social

@andrewnez That's a nice conundrum:

Declare a tight version range and get hit by vulnerabilities because new versions are not downloaded;

Or accept (patch) updates and get hit because a vulnerable update is downloaded (f.e. due to a supply chain attack).

andrewnez@mastodon.social

The code I used to collect and query this data from @ecosystems is here: https://github.com/andrew/weekend-at-bernies