pub-dev icon indicating copy to clipboard operation
pub-dev copied to clipboard
verified publisher icon dart-lang

Consider rejecting packages using repository link that is already verified to another user

Open jonasfj opened this issue 1 year ago • 5 comments

jonasfj avatar Jul 17 '24 16:07 jonasfj

to stop people from forking without updating the git repository

jonasfj avatar Jul 17 '24 16:07 jonasfj

Could this be used to lock people out from publishing using their repo, by repo-squatting them?

sigurdm avatar Aug 02 '24 09:08 sigurdm

Could this be used to lock people out from publishing using their repo, by repo-squatting them?

Assuming that the already published package needs to have a verified repository to block further packages (which is a strict check for cross-referencing both the package name and the repository location), this is not affected by repo-squatting.

isoos avatar Aug 02 '24 10:08 isoos

Assuming that the already published package needs to have a verified repository to block further packages (which is a strict check for cross-referencing both the package name and the repository location), this is not affected by repo-squatting.

Ah I didn't get the part that it has to be verified. Updating title to clarify

sigurdm avatar Aug 15 '24 08:08 sigurdm

Could this give conflicts for monorepos that are shared between multiple users?

How do we define "another user"? Does the new package has to have exactly the same set of uploaders, or just an overlapping set?

sigurdm avatar Aug 15 '24 08:08 sigurdm