DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rephrase (we->I; relation to Amazon LPs)

Browse source 
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
This commit is contained in:
Chris Hennick 2024-05-09 20:15:53 -07:00 committed by GitHub
parent aea27a7642
commit 73e44dbedb
Signed by: DevComp
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
pull_request_template.md
View file

@ -3,24 +3,26 @@ We welcome your pull request, but because this crate is downloaded about 1.7 mil
and because ZIP file processing has caused security issues in the past (see
https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1
for the gory details), we have some requirements that help ensure we continuously earn developers' and their clients'
trust (see also the "Earn Trust" principle at https://www.amazon.jobs/content/en/our-workplace/leadership-principles),
and we've received a lot of PRs that didn't initially meet those requirements.
trust. I (@Pr0methean) am an Amazonian, and although I maintain this crate in a personal capacity (except when fellow Amazonians
express new requirements), I still strive to uphold Amazon's Leadership Principles, especially "Earn Trust" (see
https://www.amazon.jobs/content/en/our-workplace/leadership-principles.) But I've received a lot of PRs that didn't initially meet
the requirements I derived from that LP.
We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but
we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in
https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. We also expect all the crate's methods to
This crate doesn't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but
I expect the tools the crate provides for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in
https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. I also expect all the crate's methods to
remain panic-free, so that this crate can be used on servers without creating a denial-of-service vulnerability.
These are our requirements for PRs, in addition to the usual functionality and readability requirements:
- This codebase sometimes changes rapidly. Please rebase your branch before opening a pull request, and
grant @Pr0methean write access to the source branch (so he can fix later conflicts without being subject
grant @Pr0methean write access to the source branch (so I can fix later conflicts without being subject
to the limitations of the web UI) if EITHER of the following apply:
- It has been at least 24 hours since you forked the repo or previously rebased the branch; or
- 5 or more pull requests are already open at https://github.com/zip-rs/zip2/pulls. PRs are merged in the order they become
eligible (reviewed, passing CI tests, and no conflicts with the base branch). @Pr0methean will attempt to fix merge
eligible (reviewed, passing CI tests, and no conflicts with the base branch). I will attempt to fix merge
conflicts, but this is best-effort.
- Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter
repo is no longer maintained and will be archived once the pre-existing issues are closed.
- Please make sure your PR's target repo is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter
repo is no longer maintained, and I will archive it after closing the pre-existing issues.
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version.
- PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include:
- Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run
@ -48,4 +50,6 @@ These are our requirements for PRs, in addition to the usual functionality and r
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
6. Squash your PR into one commit or run `git commit --amend --no-edit`, because enabling commit signing isn't retroactive
even for unpushed commits.
Thanks in advance for submitting a bug fix or proposed feature that meets these requirements!
-->