This Proposal started from some comments on a YouTube Short
What can we do about the wild west of code repos? Things like npm, pip, github, etc. When you have cicd pipeline with the keys to the kingdom and no outside party reviewing releases anything can happen. If you are a large company you can maintain your own repos and review packages you add then maybe you can protect yourself, but a small team doesn't have resources like that.
I also don't think every one should rewrite the world, but how do we figure out what we can trust?
Who do you trust is the ultimate question. Second to that is why do you trust them. The implementation of this proposal will hopefully be part of the answer to these questions.
- Activity Pub
- A federated service allows anyone to start a service that can contribute to the group effort
- A bad actor service can be de-federated
- An entity (person, org, etc) cannot certify itself. Boeing Self-Inspection
- Each review needs to be signed with a cryptographic key (GPG, ssh key, etc) linked to the entity performing the review.
- ecosystem (cargo, npm, pip, etc)
- version (tagged version and include vcs sha)
- list of any analysis tools run on the package and their versions
- analysis tools need to be deterministic and provide the same results for the same input
- LLM review is not acceptable
- remarks
- general comments on the package
- usefulness
- code quality
- potential issues
- etc
- are you using this package and in what context (hobby project, production, dep from other package)