mkonda
commented
5 years ago So ... first of all, let's make sure to make this a positive space for the maintainers. Asserting that their stuff is a dumpster fire is not a great way to get their attention. Some of the people already involved here are also involved with the packaging systems. Also, even where there may be issues, the people involved may have been fighting the good fight and making things better for a while against a flood of things beyond their control. I want them to come off looking good by association to the project. My goal in the end is that this information and the people involved are a resource to them to make things as good as is reasonably possible - and that the overall status is understood!
I know you didn't mean anything there so no specific harm or foul there, but I just want to call it out so people can see us keeping a positive tone! (And partly because I know you can "take it")
But to answer the actual point, yes, I think concrete examples of cases where packaging systems have been misused or abused make a lot of sense. I have no issues with sharing those in docs or however makes the most sense.
That said, I do not necessarily feel prepared for this to become a source of truth for any of those streams - that's tech and maintenance work I personally can't commit to. The package maintainers themselves mostly have email distribution lists around security updates and people should be on those or use the tools themselves to get the most up to date stuff.
Make sense? Fair?
sempf
It has been pointed out to me, by those who shall remain nameless (unless they decide to out themselves) that it might be worth pointing out the known flaws in packages. For instance, the npm documentation points a rather rosy picture when we all know it is a dumpster fire. Just a thought.