Registry Governance
This document describes how the uapkg registry is operated, moderated, and maintained.
uapkg is an independently operated open source project and not a public utility, commercial hosting provider, or guaranteed archival service.
The purpose of this document is to establish transparent operational expectations for publishers, users, contributors, and maintainers.
Maintainer Role
Registry maintainers/operators are responsible for operating and protecting the registry ecosystem and related infrastructure.
This may include:
- Operating registry infrastructure and automation systems
- Maintaining package indexes and metadata systems
- Performing moderation and abuse handling
- Responding to security incidents
- Managing archival and continuity systems
- Preserving ecosystem stability and reproducibility where reasonably practical
Registry maintainers/operators are not responsible for reviewing, endorsing, auditing, certifying, or guaranteeing packages published by third parties.
Maintainers/operators may establish operational policies, technical restrictions, validation requirements, publishing requirements, or moderation procedures as necessary to maintain the ecosystem.
Moderation Process
The registry may moderate packages, metadata, publisher accounts, documentation, or related content in order to:
- Protect users and infrastructure
- Reduce abuse and malicious activity
- Respond to legal or security concerns
- Preserve ecosystem integrity and operational stability
- Enforce registry policies
Moderation actions may include:
- Unlisting packages
- Removing metadata or documentation
- Restricting publishing access
- Freezing package updates
- Blocking malicious content
- Limiting visibility or distribution
- Archiving historical records
Moderation decisions may be made using automated systems, manual review, community reports, or security analysis.
The registry may take moderation action against packages or accounts involved in typosquatting, deceptive naming practices, namespace abuse, impersonation, or bad-faith package reservation behavior.
Not all moderation actions will involve prior notice, public explanation, or individual discussion.
Security Response
The registry may take action in response to credible security concerns involving packages, publishers, infrastructure, or ecosystem integrity.
This may include:
- Temporary or permanent package removal
- Disabling package distribution
- Revoking publishing access
- Blocking compromised accounts
- Removing malicious metadata or documentation
- Freezing package updates during investigation
- Preserving forensic or historical records for investigation purposes
Security investigations may involve coordination with hosting providers, security researchers, affected users, open source maintainers, or legal authorities where appropriate.
The registry may prioritize user safety and ecosystem protection over package availability or publisher continuity.
Dispute Handling
The registry may receive disputes involving:
- Intellectual property claims
- Trademark complaints
- Package ownership disputes
- Naming disputes
- Impersonation concerns
- Security reports
- Fraud or deceptive conduct
- Policy violations
Naming disputes may include:
- Typosquatting
- Deceptive similarity to existing projects or ecosystems
- Impersonation of organizations or publishers
- Trademark-related naming conflicts
- Bad-faith namespace reservation or hoarding
Registry maintainers/operators may investigate disputes at their discretion and may request supporting evidence or verification from involved parties.
The registry is not obligated to mediate private disputes between users, organizations, contributors, publishers, or third parties.
Where reasonably practical, the registry may attempt to act in good faith and proportionally when handling disputes, but maintainers/operators retain final discretion regarding registry operations and moderation decisions.
Emergency Removal Authority
Registry maintainers/operators may immediately remove, disable, restrict, freeze, or unlist packages, metadata, accounts, mirrors, or related services without prior notice when reasonably necessary to:
- Protect users or infrastructure
- Respond to malware or active exploitation
- Prevent ecosystem-wide disruption
- Address legal or regulatory concerns
- Contain compromised accounts or packages
- Reduce risk of ongoing harm
Emergency actions may be temporary or permanent.
The registry is not obligated to restore removed content after emergency actions are taken.
Appeals and Reinstatement
Publishers may request reconsideration of certain moderation or enforcement actions where appropriate.
Submission of an appeal does not guarantee review, response, reinstatement, or restoration.
Registry maintainers/operators may consider factors including:
- Severity of the issue
- Evidence of remediation
- Risk to users or infrastructure
- Repeated violations or abuse patterns
- Publisher cooperation and responsiveness
- Ecosystem impact
Reinstatement decisions are made at the discretion of registry maintainers/operators.
Registry Preservation and Continuity
uapkg may preserve or retain historical metadata, integrity information, dependency references, archives, mirrors, generated documentation, or cached artifacts in order to support:
- Ecosystem reproducibility
- Dependency continuity
- Historical auditing
- Security investigation
- Operational recovery
- Registry preservation
As a result:
- Historical references to removed packages may continue to exist
- Mirrors or caches may persist after package removal
- Generated metadata or derived artifacts may remain archived
- Dependency graphs and integrity records may continue referencing removed packages
The registry may prioritize ecosystem continuity and reproducibility over complete historical removal of package references.
Governance Changes
This governance document may be updated, modified, expanded, or replaced over time as the ecosystem evolves.
Operational practices, moderation procedures, validation requirements, and enforcement approaches may change without prior notice.
Continued use of the registry constitutes acceptance of the current governance policies.