I think this is self explanatory.
In the old days of
mrt, it was rather easy to take a peek at a package code and fork if necessary.
Yes the new packaging system is ages beyond and ahead but as I browse packages on atmosphere, I find myself dismissing those that do not have the github link. Sometimes if a package’s name looks very interesting, I try to track it down on github with some search-fu but more often than not, I cannot find it and then again, dismiss it. It kind of sounds crazy to me to get a package into my app and not know how it exactly works.
Yes I know that it eventualy ends up in my computer and I can track it down in my local package cache, but hey, it is rather cumbersome.
So, since the whole atmosphere ecosystem works around the open source principle, why on earth do we need to jump through hoops to get to the source code?
So, here I say it out loud, let’s please make github links and a more-than-one-line readme mandatory for packages.
+1 for this! and let me ask here once again:
Dear package authors, if you want to make it easier for people (and organizations) to adopt your work and contribute back, then please make it [both the source & docs] easy to read and comprehend (one of the core ideas of the Open Source), especially in view of security issues with the community packages.
Also, if you need help with improving documentation for your packages (i.e. writing, editing and enhancing with examples), don’t hesitate to ask, to let people know you welcome such contribution.
I see the problem but I think a more flexible solution would be the ability to filter based on whether packages have a README or github link, along with the ability to download a zip file of the code if the github link is not there. These filters could be automatically on, increasing the initiative to include a README and source link.
And @workman’s suggestion to link (or download) to the code is especially nice for core packages like Tracker
I also wish I could easily verify which source code a given package contains.
In case of a git URL, i’d like it to be verified to link to a specific revision on a public repository, otherwise it’s hard to quickly evaluate packages.
For packages like the meteor-subpackages, maybe a link to the path inside of the main repo would do.
But it should be verified that the package contains absolutely the same code from which the package was built.
Wasn’t it with meteorite / mrt that it pulled the package from the git url and built it? That way there (almost) couldn’t be anything else but code from the git repo in a package.
Or maybe just add a way to browse a packages’ source via the web on atmosphere / fastosphere?
That’d make it easier to quickly sanity-check a package and its contents. Especially smaller packages from lesser known authors.
Often times it’s just a handful of files or a wrapper around some other non-meteor package which is easy to validate, but it could be a “trojan horse” where somebody might inject treacherous code into my project with a minor update without me noticing.
I think that’s an issue which could be remedied or at least mitigated by having the source browse-able or linked to a public git commit.