From 431b4cdf2be7c410c3372b793550b7058637ace6 Mon Sep 17 00:00:00 2001 From: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> Date: Thu, 9 May 2024 19:59:51 -0700 Subject: [PATCH] Clarify purpose and checks Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> --- pull_request_template.md | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/pull_request_template.md b/pull_request_template.md index 079b0f35..c397864f 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -2,8 +2,8 @@ We welcome your pull request, but because this crate is downloaded about 1.7 million times per month (see https://crates.io/crates/zip), and because ZIP file processing has caused security issues in the past (see https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1 -for the gory details), we have some requirements that help ensure the crate remains secure and panic-free, and that a lot of PRs -don't meet. +for the gory details), we have some requirements that help ensure the crate remains trustworthy and panic-free, and we've seen +a lot of PRs that don't meet those requirements. We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in @@ -20,12 +20,16 @@ These are our requirements for PRs, in addition to the usual functionality and r conflicts, but this is best-effort. - Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter repo is no longer maintained and will be archived once the pre-existing issues are closed. -- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version, - with `--no-default-features` AND with `--all-features` AND with the default features. -- PRs must pass `cargo clippy --all-targets` and `cargo fmt --check --all`, - with `--no-default-features` AND with `--all-features` AND with the default features. - If you need to add a new `#[allow]` attribute, please place a comment on the same line or just above it, explaining what the - exception applies to and why it's needed. +- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version. +- PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include: + - Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run + against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version, on Windows, MacOS + AND Ubuntu (yes, that's a 3-dimensional matrix). + - `cargo clippy --all-targets` and `cargo doc --no-deps` must pass with `--no-default-features` AND with `--all-features` + AND with the default features. + - `cargo fmt --check --all` must pass. +- If the above checks force you to add a new `#[allow]` attribute, please place a comment on the same line or just above it, + explaining what the exception applies to and why it's needed. - Commit messages and the PR title must conform to [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and start with one of the types specified by the [Angular convention](https://github.com/angular/angular/blob/22b96b9/CONTRIBUTING.md#type). - All commits must be signed and display a "Verified" badge; see