search

wbond / package_control

The Sublime Text package manager
https://packagecontrol.io
4.79k stars 815 forks source link

Packages under review disappear from package control without explanation #1557

Open Shelagh-Lewins opened 3 years ago

Shelagh-Lewins commented 3 years ago

The package Sublime​Linter-eslint is missing from the list of installable packages, as reported in this issue:

https://github.com/SublimeLinter/SublimeLinter-eslint/issues/306

It would seem that eslint requires review: https://packagecontrol.io/news#2021-02-24-Package_Takeover_Vulnerability_Notification

I think the Package Control behaviour is confusing because a user will try to follow standard instructions to install eslint and is given no clue in Package Manager as to why the package is missing. I assumed that it had been deprecated in favour of eslint_d, and it took me a long time to find the issue reported above and realise that eslint was still the package I should use.

I suggest that when a package requires review, instead of silently disappearing the package, Package Control should show it with a warning that the package requires review. The user would then have a choice of waiting for the review to happen, or installing it manually.

wbond commented 3 years ago

Unfortunately due to my personal life, I do not have the time to make such massive changes to the way that Package Control works.

You are suggesting changes to PC, the package schema, and the channel server, plus testing and putting out a release affecting millions of users.

Even if I did have free time, you are probably talking about a few weeks of work after work to pull it all off.

DenizOkcu commented 3 years ago

Hey Will, totally understandable 🙂

What does who need to do, to get sublimelinter-eslint reviewed and back into package control?

Is it just on you? Can I help?

Cheers.

wbond commented 3 years ago

I have to verify that the GitHub user account owning the package is the same one as who owned it when the package was added to the channel.

The check prevents package takeovers due to GitHub usernames changing hands.

Shelagh-Lewins commented 3 years ago

I get that my first suggestion isn't practical, but is there any way to lessen the pain for users? I spent hours trying to figure out why the eslint tutorials no longer worked. For example could there be a Package Control update message listing any packages currently under review, so users know why they are missing and what they can do about it? Or some other method?

wbond commented 3 years ago

Practically, no, there is no sane way currently.

And popping up a message for every user listing the packages that are broken would be unuseful.