-
Notifications
You must be signed in to change notification settings - Fork 351
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A few policy questions #569
Comments
Hey, @gabesullice. Thanks for reaching out. There are no official (i.e., written) policies for this package. For security releases, we would do the best effort to patch affected versions. Most fixes and updates are backported, but we don't have branches for versions older than v5. There is no regular release cadence. Releases are mostly PR-driven and covered in PR discussions. Yes, the use of semver is in place to provide BC assurances. There is no guarantee, per se, but I think the conventional SDLC provides general coverage. I don't think the questions are over-the-top, and we are honored to be considered for another large project. Simply put, this is a 100% community-driven package, and certainly the labor of love for @erayd and @shmax. |
Thanks for that info @bighappyface ! It's much appreciated :) |
BTW, related: #464. |
Thanks so much for the quick response! One followup question on security practices -- do you think you will mostly practice coordinated disclosure for any security issues that might come up? For example, do you have any mechanism for handling security bugs privately before they are fixed? And, more specifically -- if you do become aware of a security issue that will require a security release for the package, can you reach out to us and let us know? Our security team's contact address is security@drupal.org. |
@xjm no means of private disclosure of security issues is available at this time, but it is fair to get something established. Perhaps some documentation about security procedures with a list of important contacts to notify would be an acceptable first step? |
@bighappyface That sounds like a great idea to me. |
I would like to point out that manpower is something you guys should be aware of if you're intending to depend on this library. We're extremely short on manpower - it's basically just me and @shmax for the most part, and unless I'm working for a client who is paying me to make major progress on this (which is uncommon, but happens sometimes), I just don't have the time available to do significant amounts of work. As a result, progress on 6.0.0 has been extremely slow, and we currently don't have full support for any version of the spec newer than draft-04. I have been backporting stuff into the 5.x.x branch in order to ensure ongoing support, bugfixes, and backwards-compatibility on that branch, and intend to continue this. Basically every applicable bugfix goes in there, plus features that make sense to backport without breaking backwards-compatibility. We comply strictly with semantic versioning, and will continue to do so. If you have a specific requirement for what you actually need regarding LTS support, that would be good to know, so we can give a better indication on whether your requirements are actually something we can comply with in that regard. I suspect it'll be fine, but it seems important to check. We're also a dependency of composer, so we are unlikely to drop support for 5.x.x any time soon. Security-wise, we've not had any issues reported during the years I've been involved with the project, but we also haven't had (as far as I'm aware) any significant auditing of the code either, and there's a lot of old, messy stuff in there, so it would not surprise me if there were a few such problems with it. I'm happy to commit to addressing any security concerns that are raised extremely quickly, but I can't promise that they will be proactively discovered, due to the aforementioned lack of time. A responsible disclosure policy and contact list is not something we have at present, but IMO it's a good idea, and I'd be quite happy for us to go down that path. One other risk to be aware of is that this repo has a very high bus factor - @justinrainbow has been AWOL for years, and the only person who has commit access is @bighappyface. We can't add anybody else, because @bighappyface doesn't have admin rights to the repo. We could move to a new package name if necessary, but that would be rather messy. |
Thanks @erayd ! Regarding the bus factor, hopefully our contributors can help out upstream too. :) I know this package has been very helpful to contributors to the Drupal JSON:API module, so I'm sure it's in their interest to help out if or when they can. Drupal's release schedule is as follows:
Sorry to hear about the admin rights issue; that's a tough spot to be in. |
Huzzah! Thanks @bighappyface , and @justinrainbow , wherever you are... |
@gabesullice and @xjm in an attempt to cleanup this repo we are trying to filter the issues and see which ones might be closed. Is it safe to assume all questions were answered and this issue can be closed? Feel free to close it yourself with some comments if helpful or let us know what is needed to progress on this. |
Thanks for your input everyone. I'm glad the commit access issues were sorted out. Y'all went above and beyond. I think all questions were sufficiently addressed for our purposes. Huzzah! |
Hi there! And thanks for all your excellent work, this library has been super helpful :)
The Drupal project is considering adding this library as one of our dev dependencies and so we're performing a standard stability review.
I'm curious if you have any official policies documented somewhere WRT to:
PS. I totally understand that these questions are probably a little over the top if this project is a one-person shop, for the most part ;) Due diligence and whatnot.
The text was updated successfully, but these errors were encountered: