Ask HN: Would you pay for a secure PyPI?

2 points by apelapan ↗ HN
Imagine a PyPI mirror, that has placeholder packages, duplicates and general typosquatter junk removed.

Where every package has gone through a basic semi-manual audit for license compliance, ownership of upstream code, correspondence between upstream and packaged release content etc. The due dilligence anyone should do, before taking on a new external dependency, but very few do in practice (especially on third- or fourth-hand dependencies).

Would you or your organization pay to use a service like this?

0 comments

[ 3.4 ms ] story [ 7.9 ms ] thread

No comments yet.