[internetter]

Hi HN!! I’m the author of this, if you have questions let me know

[mrgaro]

Great work! Package management and supply chain issues are definitely something which have by no means been solved. I appreciate that you did your experiment as it pushes the community forward to think solutions to these problems.

I think you should still build some kind of script to install every available package and then do some interesting analysis from the result. For example I'm sure there are supply chain troijan horses awaiting to be discovered.

[internetter]

Yeah. We were considering it, obviously that may have been a better way to go about it. I want to return to it in the future and do it this way, but we lost a little interest after all this.

[readthenotes1]

One of the lessons from the old book the design of everyday things is that when someone uses an artifact incorrectly, it is not the fault of the user but instead the fault of the designer who allowed such a use.

One of the examples in the books are people who keep on pulling on a handle on a door that's meant to be pushed on when the handle looks like a pull handle.

You did nothing other than pull on the pull handle. That the door frame came out of the wall is not your fault.

[OJFord]

You mentioned contacting the security teams, was that/did you try HackerOne? I don't think they would allow you to try to deliberately do it from the outset (the preferred reproduction would surely be 1. Create package A; 2. Create package B via another owner; 3. Demonstrate that B rendered A un-unpublishable^) but you might have had more luck explaining that you stumbled into it and need help unwinding it there.

Funny idea, dumb policy, nice write-up!

^In the article you write 'immutable', but I think you mean that it can't be unpublished/de-listed? I suppose definitions vary you could call that immutable, but to me the versions are always immutable so that implies no new version could be published which I don't think was the case?