Closed isoos closed 1 year ago
mit-mit
commented
1 year ago We gotten a bunch of questions about what "unverified publisher" means, and I fear that this might cause something similar. How would a user know what unverified means here? Could we link to a log with the failure, or something like that?
isoos
commented
1 year ago Could we link to a log with the failure, or something like that?
If the package is analyzed, we could link to the pana report, and it should have the failures outlined. However, we don't analyze all versions, and old version pages may have links that we don't even attempt to verify, and we don't have any logs to display there.
How would a user know what unverified means here?
Tbh. I'm not even sure what verified would mean if the analysis happened 2-3 weeks ago.
sigurdm
commented
1 year ago I think we will not show links as "unverified" (for now). The verification status is affecting the score by 10 points, and details show on the /score page. Perhaps that is enough.
Let's reopen if we change our mind, or find a user-friendly way of conveying this information along with the link.
In the latest discussion on verified repository links, we have concluded that we want to keep most links displayed, and suggested the following difference when a pubspec-provided link is verified vs. when we are unable to verify (either by not analyzing it or when the analysis fails):
E.g. verified links either get no suffix (e.g. when
homepagelink returns 200 OK) or the provider suffix(GitHub), otherwise link get(unverified)suffix. Whether the suffix part should be part of the link or outside of the<a>element is also to be decided.@mit-mit: wdyt?