Separate out stabilization into configurable passes

[msuozzo]

Working towards a solution for #39

[wbxyz]

This is cool! It's really helpful to have the different considerations separated out and encapsulated with a description.

Do you think eventually we'll be able to tell which stabilizers actually made modifications? I was imagining the stabilizers could return a modified copy instead of modifying in place. That way the invocation of the stabilizer can compare before-after, but that would be expensive to copy the file on every stabilizer invocation.

I guess another option would be for the stabilizers to return a bool of whether they made a modification. It would be more efficient but potentially less robust and more complex.

[msuozzo]

Do you think eventually we'll be able to tell which stabilizers actually made modifications?

Yeah it's certainly possible but I don't think it's a particular priority. The current way, we provide the document the passes we do apply at a given time. Next, we would have to provide feedback from both the rebuilt and upstream artifacts, take the super-set of the applied passes, and report those. Even that could be confusing given we'd report the same set of passes for both while the changes would often just reflect variability in the upstream artifact's metadata.

Further, this wouldn't necessarily provide valuable feedback to our users or to upstream maintainers. If our argument is that these differences aren't security-critical, diverting time/resources to resolving them isn't productive.

[wbxyz]

I think I was thinking about #83 but agreed that it's not high priority at the moment.

[msuozzo]

I think I was thinking about #83 but agreed that it's not high priority at the moment.

Yeah I read that, as well. I think that's more the "next step" as I was saying and less a near-term priority.