Package Yanking Guidance #51
Conversation
Signed-off-by: hayleycd <[email protected]>
Signed-off-by: hayleycd <[email protected]>
|
@steiza Thanks so much! I will take this feedback and will be pushing a draft in the next few days. |
Signed-off-by: hayleycd <[email protected]>
|
@steiza the draft is still WIP, but there is actual text instead of just notes. The complete draft will be ready in the next couple of days, but please take a look if you would like to. |
Signed-off-by: hayleycd <[email protected]>
Signed-off-by: hayleycd <[email protected]>
Signed-off-by: hayleycd <[email protected]>
|
@hayleycd Is this ready to be marked as "ready for review"? |
It is almost ready. I am going to address the comments that came in today. Remove my notes, and add a list of resources. Then I will move it out of draft. |
Signed-off-by: hayleycd <[email protected]>
Signed-off-by: hayleycd <[email protected]>
There was a problem hiding this comment.
This is great!
In this pull request, do you also want to add a link under Implementation Guidance on https://github.com/ossf/wg-securing-software-repos/blob/main/docs/index.md?plain=1#L10? Then a link to this page will show up on https://repos.openssf.org/.
There was a problem hiding this comment.
I enjoyed reading through this, well done! I had some notes/suggestion inline, and also wanted to drop this resource: https://sembr.org/
It might prove useful for longer-form documents that may only change a word or two on a line, and thus prevent having to update an entire paragraph as a result. The output rendering ought not change.
Thanks! I learned something new today. I didn't know that is how markdown rendered things and that's really useful for review/revision. I guess that is why the linter for some of the projects I work on does not want you to include spaces at the end of lines. |
Signed-off-by: hayleycd <[email protected]>
|
Thanks @miketheman @david-a-wheeler @di and @steiza! I appreciate your feedback. @steiza I have addressed comments and I've added a link to the index page. |
There was a problem hiding this comment.
Looks great! Just some high level feedback on terminology:
- This uses the terms "package registries" and "package managers" somewhat interchangeably. Generally, I would recommend using "package repositories" or "package index" to refer to an index with a collection of packages (e.g. PyPI) and "package installers" to refer to a tool a user would use to manage their packages locally (e.g. pip).
- We may also want to be more clear when we use the word "maintainers" -- while the team that runs a repository could also be considered maintainers, a better term might be "repository administrators", which avoids ambiguity when referring to end users as maintainers.
Co-authored-by: Dustin Ingram <[email protected]> Signed-off-by: Hayley Denbraver <[email protected]>
|
@hayleycd - this is an awesome doc! I left a bunch of feedback. I don't have any big concerns except around the word "yanking". I think the term should be disambiguated at the top of the document or a more ecosystem-neutral term be selected. A terminology section might help to align readers from various backgrounds on a set of shared concepts. Great work! |
Co-authored-by: Joel Verhagen <[email protected]> Signed-off-by: Hayley Denbraver <[email protected]>
Signed-off-by: hayleycd <[email protected]>
Signed-off-by: hayleycd <[email protected]>
|
I think this is getting pretty close to merge-able! Last call for reviews, and for previous reviewers to resolve open comments -- I'll look to merge this early next week. |
Co-authored-by: Dustin Ingram <[email protected]> Signed-off-by: Hayley Denbraver <[email protected]>
Signed-off-by: hayleycd <[email protected]>
|
Thank you @hayleycd! |
Please see this TAC Issue.
This is no longer a draft. I am open to any suggestions or changes.