One thing I’m struggling with in my OSS research is why pacakage repos don’t enforce and validate source code URLs and license checks.
At a minimum at least make the Source URL an explicit field in the metadata. Most package manager allow devs to arbitrarily submit project and source URLs. And don’t offer any adjudication. This wouldn’t be that big a deal if devs did their due diligence and validated things themselves.
The biggest problem is that without explicit fields in metadata there is no “good” way to automate the validation.
I’m some basic analysis of NPM well over 1/3 of packages either don’t point to their source, or have an invalid URL.
Curious what you guys think about this. Thoughts?
Kit