How will packages safeness be checked/enforced?


#1

What will prevent people from submitting malicious (or simply ill-thought and harmful) packages?

Is there going to be a pre-screen of some kind?

What if someone publishes a safe, harmless package and then pushes a harmful upgrade?


#2

It would be very difficult for us ensure that all packages and updates cause no harm, but this is an issue we take very seriously. Much like every other text editor that can be extended, we are relying on the community to help us maintain the safety of the package ecosystem.


#3

Are there already plans for this? Like, a rating and discussion system for packages, and maybe a division between packages that have been rated as safe by a number of users and packages yet to be rated?

Is it too soon to talk about this?


#4

I know that you are looking for a solution to run packages specs on travis, if it become a reality maybe a status badge in the package search results may be useful. It will not protect from harmful code, but Atom may be able to warn users on install or on updates that the package’s tests aren’t all green and that it may break at some point.


#5

Perhaps there should be a warning if there aren’t tests at all also? I’ve found a number of packages completely devoid of tests.


#6

Showing the presence / absence of tests is a good thing IMO, and it would be even nicer to show some level of test coverage. Coverage isn’t the be-all and end-all, but 50% and 0% coverage indicates presence of testing vs. complete lack of testing.


#7

As a tester, you’d be surprised at what little difference there is, from a test surface perspective, between 50% and 0% code coverage :grinning:


#8

Just saying - many packages currently have a single test that tests for activation. Any test that actually exercises the functionality of the package will cause a coverage bump that is significant, when compared to a test that simply checks that a package can be activated.

The distinction between those two scenarios – to me, as a user – is significant because one says ‘this package has tests for functionality’ and the other says ‘this person generated their package and hasn’t added any tests’. The zero-test scenario is ‘this person generated their package and removed the test that was generated’.