Track if a published version can be deleted - Githubissues

OWASP / packman

A documentation and tracking project with the goal of making package management systems more secure.

47 stars 11 forks source link

Track if a published version can be deleted #24

Open mrinalwadhwa opened 1 year ago

mrinalwadhwa commented 1 year ago

Very useful project. Thank you.

There was a twitter thread a few months ago, around the time of this incident.

"which package ecosystems protect downstream libs/apps from a published version of an upstream lib being deleted" https://twitter.com/mrinal/status/1546250871784108033

The thread captured, state of this for:

Rust https://twitter.com/mrinal/status/1546250872711024641
JS https://twitter.com/mrinal/status/1546250873851875329
Go https://twitter.com/mrinal/status/1546250874908921858
Erlang/Elixir https://twitter.com/mrinal/status/1546250875961675776
Java / Scala/ other JVM https://twitter.com/mrinal/status/1546250876997685249
Ruby https://twitter.com/mrinal/status/1546250878008537089
Swift https://twitter.com/mrinal/status/1546250878977380353
Python https://twitter.com/mrinal/status/1546250879853928448
Github Packages https://twitter.com/mrinal/status/1546265142580547584
Docker Hub https://twitter.com/mrinal/status/1546266861989351424

I wished at the time for something like packman and today someone pointed me packman :)

If there is interest in tracking this aspect, I'd be happy to send pull request.