Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add linting check for sensitive updates to existing packages #309

Open
Tracked by #26106
shonfeder opened this issue May 15, 2024 · 0 comments
Open
Tracked by #26106

Add linting check for sensitive updates to existing packages #309

shonfeder opened this issue May 15, 2024 · 0 comments
Labels

Comments

@shonfeder
Copy link
Contributor

shonfeder commented May 15, 2024

When an update for an existing package is submitted, it is possible that the new opam file can update sensitive fields, such as the license, maintainer, author, or even location from which the source is obtained. These kinds of changes require special scrutiny.

@raphael-proust and @kit-ty-kate noted today that the current review process requires manually diffing the new opam file against the previous one to identify these kinds of updates. To help streamline the review process, reducing manual work and improve safety, we should:

  • Add a linting pass that detects changes to sensitive fields.
  • When a notable change is detected, add a comment to the PR reporting which fields have been updated (we can include a note about why the field is sensitive).

We don't want CI to fail in case these fields are updated, but instead want some sort of informative warning. Adding a comment seems like the only way to achieve this within the confines of GitHub's PR interface.

We may want to consider just always adding the diff of fields changes as a comment, because it seems to me that nearly all fields from the https://opam.ocaml.org/doc/Manual.html#Package-definitions could be used for malicious purposes by a bad actor. More input on the particulars from seasoned opam repo maintainers would be helpful.

@shonfeder shonfeder changed the title Add linting check for suspicious or sensitive updates to existing packages Add linting check for sensitive updates to existing packages May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant