DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rephrase (we->I; relation to Amazon LPs)

Browse source 
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
This commit is contained in:
Chris Hennick 2024-05-09 20:15:53 -07:00 committed by GitHub
parent aea27a7642
commit 73e44dbedb
Signed by: DevComp
GPG key ID: B5690EEEBB952194
1 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
pull_request_template.md
View file

@ -3,24 +3,26 @@ We welcome your pull request, but because this crate is downloaded about 1.7 mil
and because ZIP file processing has caused security issues in the past (see and because ZIP file processing has caused security issues in the past (see
https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1 https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1
for the gory details), we have some requirements that help ensure we continuously earn developers' and their clients' for the gory details), we have some requirements that help ensure we continuously earn developers' and their clients'
trust (see also the "Earn Trust" principle at https://www.amazon.jobs/content/en/our-workplace/leadership-principles), trust. I (@Pr0methean) am an Amazonian, and although I maintain this crate in a personal capacity (except when fellow Amazonians
and we've received a lot of PRs that didn't initially meet those requirements. express new requirements), I still strive to uphold Amazon's Leadership Principles, especially "Earn Trust" (see
https://www.amazon.jobs/content/en/our-workplace/leadership-principles.) But I've received a lot of PRs that didn't initially meet
the requirements I derived from that LP.
We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but This crate doesn't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but
we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in I expect the tools the crate provides for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in
https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. We also expect all the crate's methods to https://github.com/zip-rs/zip2/blob/master/src/read.rs, to remain reliably effective. I also expect all the crate's methods to
remain panic-free, so that this crate can be used on servers without creating a denial-of-service vulnerability. remain panic-free, so that this crate can be used on servers without creating a denial-of-service vulnerability.
These are our requirements for PRs, in addition to the usual functionality and readability requirements: These are our requirements for PRs, in addition to the usual functionality and readability requirements:
- This codebase sometimes changes rapidly. Please rebase your branch before opening a pull request, and - This codebase sometimes changes rapidly. Please rebase your branch before opening a pull request, and
grant @Pr0methean write access to the source branch (so he can fix later conflicts without being subject grant @Pr0methean write access to the source branch (so I can fix later conflicts without being subject
to the limitations of the web UI) if EITHER of the following apply: to the limitations of the web UI) if EITHER of the following apply:
- It has been at least 24 hours since you forked the repo or previously rebased the branch; or - It has been at least 24 hours since you forked the repo or previously rebased the branch; or
- 5 or more pull requests are already open at https://github.com/zip-rs/zip2/pulls. PRs are merged in the order they become - 5 or more pull requests are already open at https://github.com/zip-rs/zip2/pulls. PRs are merged in the order they become
eligible (reviewed, passing CI tests, and no conflicts with the base branch). @Pr0methean will attempt to fix merge eligible (reviewed, passing CI tests, and no conflicts with the base branch). I will attempt to fix merge
conflicts, but this is best-effort. conflicts, but this is best-effort.
- Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter - Please make sure your PR's target repo is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter
repo is no longer maintained and will be archived once the pre-existing issues are closed. repo is no longer maintained, and I will archive it after closing the pre-existing issues.
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version. - Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version.
- PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include: - PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include:
- Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run - Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run
@ -48,4 +50,6 @@ These are our requirements for PRs, in addition to the usual functionality and r
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
6. Squash your PR into one commit or run `git commit --amend --no-edit`, because enabling commit signing isn't retroactive 6. Squash your PR into one commit or run `git commit --amend --no-edit`, because enabling commit signing isn't retroactive
even for unpushed commits. even for unpushed commits.
Thanks in advance for submitting a bug fix or proposed feature that meets these requirements!
--> -->