SwiftPackageIndex-Server

SwiftPackageIndex-Server copied to clipboard

We've just removed an archived package from the package list which was causing build issues.

In order to prevent this package from returning into the index via direct or dependency addition (unlikely in this case but conceivable for others), we should add a deny list to the package validation scripts in https://github.com/SwiftPackageIndex/PackageList.

Was briefly discussed in https://github.com/SwiftPackageIndex/PackageList/pull/508 when the script was first added (some sort of ignore list)

This is still not super pressing but I think a good way of implementing this would be to have just another package list repo like PackageList - PackageBlockList or something.

The server could use this in its reconciliation stage to subtract from PackageList and validation could independently also use it to reject resubmission.

By managing it via PRs we'll have a visible audit trail what's rejected and the PRs or issues could carry info why.

I agree this is the best way to go. It doesn't even need to be a separate repository, it could be another JSON file in PackageList.

As mentioned in https://github.com/SwiftPackageIndex/PackageList/issues/3540, we now have a need for this deny list!

I added an initial deny list to the repository. We need to use it in two ways:

1. We need to subtract the deny list from any changes that are about to be proposed from the nightly package discovery task.
2. We need to also check and remove any packages on the deny list when reconciling the package list in the Server project.
3. We could also add something to the “Add Packages” workflow to check and comment, but that might be overkill.
4. We could also add something to “Remove Packages” to automate additions to the deny list.

This is done