Community-driven mechanism for takedown of spam/malicious servers

[tadasant]

Some discussion here: #93

When someone publishes a malicious or spam server.json, we need a mechanism for getting it reported and taken down.

While we can rely on existing source registries that we reference (e.g. npm, pypi, etc) to pull down malicious source code, we can't rely on the same mechanism for remote servers.

Steps to do here:

• Evaluate how other registries in the ecosystem deal with this. Likely solution is to enable community reporting of spam/malicious intent.
• Design mechanism for making those submissions
• Set thresholds for what meets the bar for a takedown
• Implement

[steiza]

Usually this is handled by having the humans that operate the registry monitoring some sort of inbox / report queue for people reporting a submission as malicious. If the registry has a web interface, you can implement sending a malicious report from the page associated with the submission.

See things like:

• https://docs.npmjs.com/reporting-malware-in-an-npm-package
• https://blog.pypi.org/posts/2024-03-06-malware-reporting-evolved/