Clarify purpose and checks
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
This commit is contained in:
parent
a29d125ee7
commit
431b4cdf2b
1 changed files with 12 additions and 8 deletions
|
@ -2,8 +2,8 @@
|
|||
We welcome your pull request, but because this crate is downloaded about 1.7 million times per month (see https://crates.io/crates/zip),
|
||||
and because ZIP file processing has caused security issues in the past (see
|
||||
https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1
|
||||
for the gory details), we have some requirements that help ensure the crate remains secure and panic-free, and that a lot of PRs
|
||||
don't meet.
|
||||
for the gory details), we have some requirements that help ensure the crate remains trustworthy and panic-free, and we've seen
|
||||
a lot of PRs that don't meet those requirements.
|
||||
|
||||
We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but
|
||||
we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in
|
||||
|
@ -20,12 +20,16 @@ These are our requirements for PRs, in addition to the usual functionality and r
|
|||
conflicts, but this is best-effort.
|
||||
- Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter
|
||||
repo is no longer maintained and will be archived once the pre-existing issues are closed.
|
||||
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version,
|
||||
with `--no-default-features` AND with `--all-features` AND with the default features.
|
||||
- PRs must pass `cargo clippy --all-targets` and `cargo fmt --check --all`,
|
||||
with `--no-default-features` AND with `--all-features` AND with the default features.
|
||||
If you need to add a new `#[allow]` attribute, please place a comment on the same line or just above it, explaining what the
|
||||
exception applies to and why it's needed.
|
||||
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version.
|
||||
- PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include:
|
||||
- Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run
|
||||
against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version, on Windows, MacOS
|
||||
AND Ubuntu (yes, that's a 3-dimensional matrix).
|
||||
- `cargo clippy --all-targets` and `cargo doc --no-deps` must pass with `--no-default-features` AND with `--all-features`
|
||||
AND with the default features.
|
||||
- `cargo fmt --check --all` must pass.
|
||||
- If the above checks force you to add a new `#[allow]` attribute, please place a comment on the same line or just above it,
|
||||
explaining what the exception applies to and why it's needed.
|
||||
- Commit messages and the PR title must conform to [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and start
|
||||
with one of the types specified by the [Angular convention](https://github.com/angular/angular/blob/22b96b9/CONTRIBUTING.md#type).
|
||||
- All commits must be signed and display a "Verified" badge; see
|
||||
|
|
Loading…
Add table
Reference in a new issue