Pubdev.dartastic.io policy #
Note on the upstream
dart pub publishprompt. The DartpubCLI is shared with the public pub.dev registry, so when you publish to pub.dartastic.io it still prints "Policy details are available at https://pub.dev/policy". Ignore that link — the policy that applies to your publish on this private registry is the one on this page. We can't change the CLI prompt without forking the pub client; we can (and do) serve our own policy at the URL it implicitly anchors on (/policyof whichever registry you're publishing to).
Purpose #
Pubdev.dartastic.io is the private package registry for
Dartastic customers — it serves Pro / Compliance / Hosted-tier
artifacts (the dartastic_opentelemetry_native* family and any
private packages your team publishes) to the laptops, CI, and
production servers you authenticate via Dartastic API keys.
Unlike the public pub.dev registry, publication on pub.dartastic.io is not permanent. Pro and higher tiers can retract any version they own at any time — no 7-day window, no appeal process, no Google Terms-of-Service rules. The retraction endpoint is part of the tier (#75).
Retraction (you control this) #
| Tier | Can retract? | Window |
|---|---|---|
| Free / Pub Dev | Read-only on io_dartastic_*; can publish to own scope; cannot retract |
n/a |
| Pro | Yes, immediate | None — any version, any time |
| Compliance | Yes, immediate + audit log | None — every retraction recorded for ALCOA+ |
| Hosted (Dev/Pro/Enterprise) | Yes, immediate (own box only) | None |
To retract: from the package page on pub.dartastic.io, click
Manage → Retract version. The version is removed from the
/api/packages/<name> response within seconds; clients pinned to
that version will fail to resolve on next pub get.
If you need to retract a version because of a leaked secret,
email security@mindfulsoftware.com — there's a faster path
through the Dartastic ops Slack.
Naming policy #
Package names must be unique within the registry. The same technical rules as upstream pub.dev:
- Lowercase letters, digits, and underscores only.
- Must start with a letter.
- Reserved prefixes:
dartastic_opentelemetry_native*is reserved for Dartastic-published packages.
Because pub.dartastic.io is per-customer-org private, the "name squatting" notion from upstream doesn't apply — each customer org has its own namespace and there's no global land-grab.
Content policy #
Package contents must not violate:
- The Dartastic Terms of Service (replaces upstream's reference to Google Terms of Service — Google has no role in this registry).
- Any applicable law in the publisher's or the customer's jurisdiction.
Private packages within your customer org are not subject to
broader review — your team owns its scope. Public-readable
packages (Dartastic-published io_dartastic_* artifacts)
follow the Dartastic publish-review process.
Copyright #
You retain copyright in everything you publish. The Dartastic
Pro Commercial License governs Dartastic-published packages
(see the LICENSE files in
dartastic-pro-sdk);
your private uploads are governed by whatever license you set
in your pubspec.yaml.
Reporting issues #
- Security:
security@mindfulsoftware.com(PGP key at https://dartastic.io/security/pgp.asc). - Operational (the registry is down or slow): the
Dartastic watchdog alerts our ops channel automatically; if
it's been silent for more than 30 minutes during business
hours, ping
support@dartastic.io. - Policy (you want an exception, a feature, or to disagree
with a moderation decision):
support@dartastic.io.
What's NOT carried over from upstream pub.dev #
The following sections of the upstream pub.dev policy explicitly do not apply to pub.dartastic.io:
- Google Terms of Service references — Google is not the registry operator.
- Pub.dev moderator / appeals process — the registry is
per-customer-org private; moderation happens at the
customer's discretion within their own namespace, and
Dartastic's discretion within
io_dartastic_*. - Digital Services Act referral path — that's a public-EU-marketplace
obligation that doesn't apply to a private-by-API-key
customer registry. If you're a customer in the EU and have
a dispute with Dartastic, contact
support@dartastic.iofirst; if that's unsatisfactory, your contract terms control. - "Top packages" rankings, search relevance signals — we don't rank for public discovery, since the registry isn't public.
Changes #
Material changes to this policy are announced in the Dartastic changelog at least 14 days before they take effect. Editorial changes (clarifications, typo fixes, link updates) land immediately and are noted in the changelog after the fact.