Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yep, non-canonical registries are used by business and they are more likely to pay. For example our dependency firewall will be a paid feature that delays updates from packages that are recently updated under suspicious circumstances like: author changed, author information changed, different programming language, activity after a long period of inactivity, large change to the code, etc.


> delays updates from packages that are recently updated under suspicious circumstances

This is an example of the security curation you note earlier. People reviewing flags alongside the code, remediation during the delay, highlighting package authors you like are some of why “Being the canonical registry … tends to be a huge expense.” How many people build and run GitLab Package Registry?


We don’t know exactly how many people use it since it is open source but I think between 100,000 and 1 million people. The docker container registry is the most popular.

The security curation examples I mentioned are intended to use automated signals so there wouldn’t be an expense for labor. In fact we intend to run them separately on every self managed GitLab installation.


I am curious what proportion of compromised packages fall under the umbrella of scenarios you have outlined.


Me too. If someone has data on predictors of compromised packages I’m all ears.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: