Allowing Package Owner Auth

[cbdotguru]

It appears all auth happens at the repo contract owner/authority level and there are no checks at the actual package owner level. Am I missing where this takes place? Is this purposeful in the design? If so, what was the reasoning?

[cgewecke]

@HACKDOM Are you thinking along the lines of a package owner being able to remove a package? Or gatekeeping who can publish one?

There are some checks in the sense that only a package owner can cut a release and there is a mechanism for transferring package ownership.

As currently deployed, the registry is open to the public - anyone can create a package. .But this is configurable - the registry permissions are set in a series of post-deployment calls executed here

Maybe we should highlight this topic in the docs. . .