Security considerations for future package manager

I notice a package manager to replace the current nuget workflow is in the roadmap for 2022.6.
Which is great! Im sure it will make vvvv even more accessible for users to pull in all sorts of solutions to problems.

I love how you can install a nuget and moments later have helppatches that you can run live, but I also see some risk there.

My proposal is to use the development of this package manager to think about how to minimise the security risks of installing and running code from the internet.
I think vvvv will have an increasing role in the future as an accessible entry point for new coders and I would hate to see that abused by bad actors.


Technical solutions

UX-Cultural solutions

  • Whitelist of community trusted packages, I.E dev approved packages from trusted vvvv community members.
    (Could also whitelist for dataflow context usability)
    UI gives warnings if you search download outside this list.
    Warning to remind you that even help patches are executing someone elses code.

  • Greater highlight in vvvv culture security due diligence. We could have a page on what you should consider before downloading a nuget in documentation and ensure it’s part of appropriate getting started tutorials.
    Something like
    Trust and NuGet | You’ve Been Haacked
    (comments on that article also very interesting)

  • Generally increase cultural alignment of vvvv developer security practices with the latest .net developer security practices. If there’s an important announcement for security for .net than we could also copy that into our newsletters. At the least to make people aware that Microsoft and vvvv devs cannot reduce the risks to zero, every developer must also think about security when they get code from the internet.