From 73e44dbedb8515fe087cefab14995cac37c468d5 Mon Sep 17 00:00:00 2001 From: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> Date: Thu, 9 May 2024 20:15:53 -0700 Subject: [PATCH] Rephrase (we->I; relation to Amazon LPs) Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com> --- pull_request_template.md | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/pull_request_template.md b/pull_request_template.md index 12772b49..7d038973 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -3,24 +3,26 @@ We welcome your pull request, but because this crate is downloaded about 1.7 mil and because ZIP file processing has caused security issues in the past (see https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1 for the gory details), we have some requirements that help ensure we continuously earn developers' and their clients' -trust (see also the "Earn Trust" principle at https://www.amazon.jobs/content/en/our-workplace/leadership-principles), -and we've received a lot of PRs that didn't initially meet those requirements. +trust. I (@Pr0methean) am an Amazonian, and although I maintain this crate in a personal capacity (except when fellow Amazonians +express new requirements), I still strive to uphold Amazon's Leadership Principles, especially "Earn Trust" (see +https://www.amazon.jobs/content/en/our-workplace/leadership-principles.) But I've received a lot of PRs that didn't initially meet +the requirements I derived from that LP. -We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but -we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in -https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. We also expect all the crate's methods to +This crate doesn't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but +I expect the tools the crate provides for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in +https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. I also expect all the crate's methods to remain panic-free, so that this crate can be used on servers without creating a denial-of-service vulnerability. These are our requirements for PRs, in addition to the usual functionality and readability requirements: - This codebase sometimes changes rapidly. Please rebase your branch before opening a pull request, and - grant @Pr0methean write access to the source branch (so he can fix later conflicts without being subject + grant @Pr0methean write access to the source branch (so I can fix later conflicts without being subject to the limitations of the web UI) if EITHER of the following apply: - It has been at least 24 hours since you forked the repo or previously rebased the branch; or - 5 or more pull requests are already open at https://github.com/zip-rs/zip2/pulls. PRs are merged in the order they become - eligible (reviewed, passing CI tests, and no conflicts with the base branch). @Pr0methean will attempt to fix merge + eligible (reviewed, passing CI tests, and no conflicts with the base branch). I will attempt to fix merge conflicts, but this is best-effort. -- Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter - repo is no longer maintained and will be archived once the pre-existing issues are closed. +- Please make sure your PR's target repo is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter + repo is no longer maintained, and I will archive it after closing the pre-existing issues. - Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version. - PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include: - Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run @@ -48,4 +50,6 @@ These are our requirements for PRs, in addition to the usual functionality and r https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits 6. Squash your PR into one commit or run `git commit --amend --no-edit`, because enabling commit signing isn't retroactive even for unpushed commits. + +Thanks in advance for submitting a bug fix or proposed feature that meets these requirements! -->