Policy for software package requests #1387
Conversation
jemrobinson
requested review from
martintoreilly and
JimMadge
as code owners
jemrobinson
force-pushed
the
software-package-requests
branch
from
0086a9d to
c1b445b
Compare
|
|
||
| 2. A member of the project team reviews the request according to the terms of the {ref}`package_inclusion_policy`. | ||
|
|
||
| 3. The reviewer adds their decision (accept/reject) to the issue and notifies the user who made the request. |
There was a problem hiding this comment.
If I was a reviewer, how would I know how to make this decision? Is it possible to expand some guidance here - for example, in Daniel from Edon's case, would the reviewer just google "R Arrow" and check it's a real package and somehow figure out if it's something without known security vulnerabilities?
There was a problem hiding this comment.
The issue template asks them to answer the following questions:
- Package name
- Package version (if different from latest)
- Package repository (e.g. CRAN, PyPI)
- Number of authors/contributors to the package codebase
- Any existing versions that should not be used (linking to publicly-accessible CVE databases if relevant)
- Download statistics (recent and longer-term, for both current and previous versions)
- List of packages that this package depends on
- What will you be able to do with this package that you can't currently do?
- Is this the most widely supported package for the intended purpose? What alternatives are there?
- What risks to data integrity/security might arise from including this package or its dependencies?
There was a problem hiding this comment.
Makes sense, so the burden of checking risks falls to the requester
There was a problem hiding this comment.
The burden of explaining why the risks are manageable. We still don't have a well-defined way to make a decision based on these answers though :)
jemrobinson
force-pushed
the
software-package-requests
branch
from
62c220a to
3dc612f
Compare
jemrobinson
force-pushed
the
software-package-requests
branch
from
3dc612f to
8a7fa32
Compare
There was a problem hiding this comment.
I think I'm not convinced that we should be doing this.
I really like the explanation of how we are confident about the security of the SRE, but that allowing data from outside presents risks to data mixing or other misuse.
The criteria for what we would consider adding seem quite broad.
I think this has caused us problems in the past, particularly with Python packages are resolving all dependencies across many packages is difficult (or impossible).
If that is what we really want to do, we should probably look at using lmod (or another module system) to isolate those packages.
Co-authored-by: Jim Madge <jim+github@jmadge.com>
✅ Checklist
Enable foobar integrationrather than515 foobar).developbut it may have changed since then)../tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory>.Add a policy for approving software package requests. Note that this is a policy for adding packages to the main repository, and not a policy for any specific deployment.
Much of the text comes from #622 which was removed during the private-public transition but I think is still relevant here.
🌂 Related issues
Closes #622
🔬 Tests
Tested that automated package generation works as expected.
NB. CI test failure is due to the fact that we're adding a new
.mdfile and theEdit this pagelink refers back to the non-existent file in GitHub.