STF Project: Developer for improving the registry backend

Project: Improving registry backend

The prototype of the fpm package registry is available for testing, to make it suitable for production further development on the registry server are necessary, specially with respect to security related features.

Metrics for packages

For the uploaded packages we want the possibility to collect statistics like number of downloads. In this part of the project existing registries like PyPI, anaconda or crates are checked for the collected data and the respective terms of usage to allow collecting these data. An appropriate set of collected data is developed in collaboration with the community.

Flagging packages and deletion

For a working registry we need to handle cases where packages should be removed, either in a soft way like being yanked from the public index but still addressable or in a hard way as being properly removed from the server. Cases for this can be broken packages (soft delete), malicious packages (hard delete), copyright infringement (hard delete) etc. Part of this project is to survey reporting mechanisms in existing registries and develop and a strategy to support reporting packages in the registry.

Security features

Packages with security vulnerabilities should be reported in the registry. This information should be made available to the fpm client to allow to upgrade to a secure version or apply a suggested mitigation strategy, e.g. switching from a deprecated package to an alternative. To efficiently track and encode these constraints the fpm client needs to support pinning or locking of dependency versions.

Upload checks

To ensure that packages uploaded comply with the community standard the upload checks for new packages should be refined in the backend and the fpm client. The fpm client should be able to perform most if not all checks on the package that are done by the registry backend, the registry backend must be able to perform at least all check of the fpm client. Upload requirements and best practices are developed in discussion with the community.


  • Metric for uploaded packages
  • Possibility to report packages
  • Functionality for security related incidents
  • Improved upload restrictions in backend


The project is compensated at €60/hour over a period of 6 months up to 40 hours/week. Part time (less that 40 hours/week) is available in mutual agreement with the project administrators.


  • Knowledge in Python and Fortran
  • Familiarity with Flask framework

Please contact the project administrators, Sebastian @awvwgk and Ondrej @certik, for further information or to submit applications. For applications please include previous contributions to relevant Fortran-lang projects.

For more details on the STF project checkout Sovereign Tech Fund Project.