jsr-io
Prominently show the owner of a package
JSR is a new registry and there might (likely) be chances where people can preemptively register a well-known scope name on other registries, like npm. It could improve the supply chain security if JSR could prominently show the owner of a package.
As a reference, npm shows the owners on the right hand side of a package: https://www.npmjs.com/package/@opentelemetry/api. But on JSR, if I jump to a package page through search, https://jsr.io/@opentelemetry/api, there is no owner information on the first glance of the page. Lukily, the scope of https://jsr.io/@opentelemetry was not taken for a malicious intent. But it is still worrisome that there is no prominent information about the authenticity on JSR package page.
Given that everything is scoped on JSR, and any publishing and ownership is dictated by the scope and not the package, i dont think this is necessary. additionally on a package you can see the github repo linked, which isnt just an arbitrary value, but rather only an authorized user (of the repo) can link.
additionally on a package you can see the github repo linked, which isnt just an arbitrary value, but rather only an authorized user (of the repo) can link.
What does "an authorized user" mean? A logged-in user of JSR does not mean they are an authentic owner of the linked github repository. This is the same on npm that a package can link to arbitrary github repo via package.json repo field.
As a reference, https://jsr.io/@opentelemetry/api can be published and linked to the https://github.com/open-telemetry/opentelemetry-js repo without any authentication of ownership: https://github.com/open-telemetry/opentelemetry-js/issues/5728#issuecomment-3061738344
linking the github repository can only be done by someone that is has settings access to that repository
As a reference, https://jsr.io/@opentelemetry/api can be published and linked to the https://github.com/open-telemetry/opentelemetry-js repo without any authentication of ownership
This is incorrect. only someone with settings access to the opentelemetry repo can set the github repo on JSR to be the opentelemetry repo
This is incorrect. only someone with settings access to the opentelemetry repo can set the github repo on JSR to be the opentelemetry repo
Alright, so we are arguing on two points. First, I'm arguing that a well-known scope on npm can be easily preemptively registered on JSR. And a package published in this scope has no prominent indication that who published it.
Second, as you point out, there is a "GitHub" link on a package if it is linked. However, the link is "absent" on https://jsr.io/@opentelemetry/api, saying, there is no hint that the authorized github link should be present.
Additionally, JSR does not prevent a package to link to a repo in the README section. So when the top link is absent by default, I'm worried that there is a space for fraudulence.
By submitting this issue, I'm worried that https://jsr.io/@opentelemetry/api can be published by a person without any original maintainers on npm and it is NOT easy to identify on JSR page that it is published by someone arbitray.
When I first came across the opentelemetry package on JSR I saw it wasn't verified or linked to any GitHub repo. That immediately raised alarm bells and I then checked the owner of the scope. This was very easy and took less than a minute. I don't see any problems with the way it's currently done.
