Those questions are legitimate, but I haven't been concerned about them.
There is a related question that I would tackle before those:
liability/vulnerability wrt expectations of the users of the package
catalog.
Scenarios that come first to mind involve someone having something bad
happen (like a system didn't work properly, or there was a security
intrusion), and they blame a package, and they blame the operators of
the catalog server (for not vetting the packages, or not safeguarding
against an attack on the server, etc.). This doesn't have to make a lot
of sense -- it can happen when party A is being blamed by party B, A
panics and looks around desperately for anyone else to blame -- and it
can be an expensive headache, up until a court rules in your favor.
Another thing about expensive headaches is that people who feel them
then behave in reactionary ways, which can increase the harm (e.g.,
political pressure to do stupid things, or stop doing good things).
On a large, very important Racket system on which I consulted, I
mirrored all third-party Racket packages on which the system depended,
in an SCM system, tracked versions, inspected the code of each, and
disabled direct access to the package servers from the development and
deployment environments. But not everyone is going to do things like
this. And, the more reckless people are in how they set up their
important systems, I suspect, the more they are likely to be reckless or
incapable when something goes wrong.
Maybe a proactive CYA notice of some kind would help avert or reduce the
headache from those hypothetical reckless people. I don't know; maybe
that's a question for a lawyer.
I think we generally don't like having to even think about CYA. It's a
distraction, can be an encumbrance, and we don't want to become people
who are too focused on CYA.
BTW, if someone who wants to do systems research on trustworthiness of
third-party software packages like this, I suspect there's an MS or PhD
in a good solution that doesn't involve huge central human effort or
perfect sandboxing. It's not necessarily a PL or OS problem, nor even a
traditionally CS one, so you might have to go cross-disciplinary.
--
You received this message because you are subscribed to the Google Groups "Racket
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to racket-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.