Published in


Michael Thomsen

Oct 10, 2019

4 min read

Announcing verified publishers on pub.dev

Today we’re announcing a new feature on pub.dev (the Dart package repository): verified publishers. When you use a package that has a verified publisher, you can be sure that the publisher is who they claim to be. When you publish packages as a verified publisher, you get the bonus of easier package administration.

Increasing trust for package consumers

App developers building apps with Flutter tell us that having a rich selection of high-quality packages is critical to their productivity, allowing them to reuse common components and access popular SDKs and libraries. We’re seeing an immense amount of growth in the pub.dev ecosystem, with thousands of packages published over the past year, and hundreds of thousands of developers using pub.dev every month to browse and search for new package content.

One of the most important selection criteria we hear from package users is who published the package. Verified publishers strengthen this signal by verifying the identity of the publisher, and by clearly listing the publisher identity in package search results and on package detail pages (note the blue badge next to dart.dev in the screenshots below).

Package search result showing a package that was published by a verified publisher
Package detail page showing a package that was published by a verified publisher

When you click the publisher, you can see a few more details, including a contact email for the publisher, a link to the publisher homepage, and a short description of the publisher. The publisher description is provided by the publisher, offering a small branding opportunity.

You can also view a list of all packages published by the publisher. Below is an example from the new dart.dev publisher.

Sample package list for a publisher

When we designed the verification process, we wanted a mechanism that was trustworthy, low cost, and available to anyone interested in being a verified publisher. We also preferred a process that was automated, so accounts could be created without delays.

After reviewing several alternatives, we decided to base the verification on DNS (domain name system) second-level domains. We chose DNS because we believe that most package publishers already have a domain and a homepage at that domain. During the publisher creation process, pub.dev verifies that the user creating the verified publisher has admin access to the associated domain, based on existing logic in the Google Search Console.

Besides the clear benefits of verifying the publisher identity, the verified publishers feature also offers administrative benefits. Previously, if you published many packages, access management was a tedious, package-by-package job that took away time you could be spending on improving your packages. With verified publishers, you can configure a single team of admins for your publisher account, where all team members have the ability to publish updates to all packages owned by the publisher.

We’ve also added a few new self-administration options, including the ability to move an existing package to a publisher account (see below), or to mark a package as discontinued.

It’s easy to transfer existing packages to a verified publisher. Just create a verified publisher, and use the transfer function on your existing packages. This simple process takes just a few minutes per package.

We’re discussing lots of future improvements to pub.dev. Here are some of the ideas:

  • Search support for packages that support a particular platform (for example, Android or web; #187), incl. better understanding of Dart web vs Flutter web packages
  • Tags or categories for packages (#367)
  • Voting on or liking high-quality packages (#798)
  • Clear policy and process for reporting questionable content (#1570)

If you’re interested in a particular idea, we encourage you to check the pub.dev issue tracker to make sure the idea is already tracked, and to indicate your interest by adding a thumbs up reaction to the topmost comment of the issue.

If you’re a package publisher, we encourage you to get your packages transferred to a verified publisher account as soon as possible, to get the benefits listed above for both yourself and the users of your packages. We’ve already transferred many of the most popular dart.dev packages, and expect more to be transferred shortly.

That’s all for now. We look forward to seeing even more high-quality packages on pub.dev!