nimforum mirror - where to report malicious? nimble packages?

enaaab460 (orginal) [2025-08-10T14:34:24+02:00] view original

https://nimble.directory/pkg/pl0t appears to be spam

daylinmorgan (orginal) [2025-08-10T16:18:10+02:00] view original

The place to report packages would be at https://github.com/nim-lang/packages.

But this package just appears to be just no long maintained, not malicious. There are ublock warnings on GitHub or nimble.directory?

enaaab460 (orginal) [2025-08-10T16:35:12+02:00] view original

there is no github / source code, the Project website has many redirects then a full page ad (you won so and so)

PMunch (orginal) [2025-08-10T17:00:54+02:00] view original

Isn't it this project? https://github.com/al6x/pl0t. Says it's unmaintained and that the site is down (I guess someone bought the domain).

enaaab460 (orginal) [2025-08-10T18:03:16+02:00] view original

Appears to be

I could not reach the GitHub from the nimble page

To say the package itself is premature from my side, but the nimble page and the package domain were fishy

enaaab460 (orginal) [2025-08-10T18:09:42+02:00] view original

Maybe just clean up the nimble page?

PMunch (orginal) [2025-08-10T19:25:47+02:00] view original

The "nimble page" is just a third party, unofficial, website showing data from the package registry and GitHub. It's maintained by Federico Ceratto.

daylinmorgan (orginal) [2025-08-10T19:40:37+02:00] view original

Ah! Ya I just checked the GitHub page not the URL.

emre (orginal) [2025-08-11T05:20:57+02:00] view original

We should periodically scan all the packages and marked the archived, abandoned, and deleted ones as such, don't you think?

emre (orginal) [2025-08-11T07:38:22+02:00] view original

What if we then moved them into another file, say deleted_packages.json to keep the active one lean? I've written a workflow to do the first part: https://github.com/nim-lang/packages/pull/3103

arnetheduck (orginal) [2025-08-12T07:44:31+02:00] view original

but maybe something like last commit date, or new issues since last commit could be a decent proxy

Stable software doesn't need to have new commits/versions or issues if it functional.

Second this - our best packages are the ones we don't have to change - many of the packages we use the most don't have commits for months/years - nim-results for example (which certainly has a lot of users) was last touched 8 months ago.

That said, if you follow reverse dependencies you can get a slightly better proxy - ie you can consider the most recent commit over the dependency graph - this would accurately show a package like nim-results as being "recently" useful.

Araq (orginal) [2025-08-12T08:32:08+02:00] view original

In my experience the quality of a package can be judged quite effectively by knowing its author(s)...

I suggest we add a whitelist of trusted authors to Nimble/Atlas and then these packages get a recommended annotation in the list of search results.

emre (orginal) [2025-08-12T16:14:39+02:00] view original

I think surfacing the number of stars the repo has is a better signal. It is democratic, dynamic, and easy to implement.

daylinmorgan (orginal) [2025-08-12T17:25:43+02:00] view original

It may be simple but it's also forge dependent in a way that nimble and atlas aren't.

It artificially penalizes packages that aren't hosted on github (or forges with similar github ui/apis like codeberg/forgejo)

I think a more generalizable and useful metric for libraries would be similar to what @arnethduck suggested above which would be based on dependency graphs.

In other words, an option to sort libraries by the number of dependents.

emre (orginal) [2025-08-12T17:48:52+02:00] view original

From the listed dependencies in the nimble file right? That's a good idea.

PMunch (orginal) [2025-08-12T17:52:45+02:00] view original

This unfairly benefits libraries that are low-level though. Things like result would have a lot of dependents, but something like a terminal UI module could have lots of programs that use it, but not all of them would be hosted on Nimble..

emre (orginal) [2025-08-12T17:57:39+02:00] view original

Why not both then?

daylinmorgan (orginal) [2025-08-12T21:33:12+02:00] view original

If I'm looking for a package to use with nim it's because of I have a particular problem not just randomly looking for reasons to introduce new dependencies I have to manage.

So it's something that make more sense when comparing categorically similar packages (I'm never comparing adding results vs adding some terminal library (Technically, I wouldn't have to find one of those I have my own, bugs and all :P))

But your point still stands that the more low-level a package is the more-likely it is to have dependents. Also, I think there is a good chance a lot of folks don't submit binary only packages to the registry which would lead to pretty specious data in the first place (at least I don't usually unless I'm advertising it to the nim community specifically).

emre (orginal) [2025-08-12T21:49:56+02:00] view original

I assume we are restricting dependents to registered packages?

Mirror of forum.nim-lang.org

13305 :: where to report malicious? nimble packages?