-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Project continuity planning #908
Comments
Hi @EliotJones, I'd be more than happy to take over if you are fine with it. I do agree 100% with you regarding the "XZ Utils attack" risk, but I don't have a proper solution to mitigate that. I'm also happy to lay down here some next devs I'd like to see implemented in the library if that's of any help. Feel free to ask anything if you have questions, and thanks a lot for starting this great project! |
Hi @BobLd @EliotJones I'm also always happy to provide a second set of eyes for any future reviews. |
Hi @BobLd, thanks very much. I have decided on the following course of action:
|
@EliotJones thanks a lot for everything again! I got back to you via email. |
Thanks @BobLd for stepping up and offering a hand. Even if it's just routine dependency updates, having someone around and able to respond is huge. I wish I could offer real support, but my low-level experience with PDFs is insufficient. The only thing I might be able to help with is perhaps is streamlining the release process, so if that ever gets into your focus with an issue, feel free to tag me on it! |
@svengeance thanks a lot for the help offer, much appreciated. I'm planning to work on the release process shortly (hopefully before end of year). I'll for sure tag you. In the meantime, do you have example of github pipeline you have setup that are publically available? |
I ironically have a basic C# wrapper around QPDF that I maintain/published on NuGet and GitHub. My process is pretty simple. Every PR has a corresponding update to the RELEASE_NOTES.md file in the root of the repo. When I want to release a new version, my pipeline does a sparse checkout of just that file, and then uses release-action to create a GH release and embed the file into the body of the release notes. In my opinion it's easier to accrue changes in a single file over time than to wait until the release to try to understand everything that happened. The file also gives you more flexibility than you could by building up release notes via commit messages or PR titles, where it's hard to convey multiple enhancements, notes, comments, and breaking changes. This release process also takes care of updating its NuGet packages of course. If I were to do it a little differently, I might also create a prepend-only file (CHANGELOG.md) in the root of the repo that is updated on-release so users have an at-a-glance file to track changes. The process of gradual release notes accrual might be beneficial here where contributions are more likely, and it can be added to the contribution guidelines that adequate updates to the file need to be made to describe the change. |
@BobLd, just in case, the nighly release failed to push to nuget, claiming credentials are not working anymore, might be linked to the transition?
|
@Greybird thanks for flagging - should be good now @svengeance thanks a lot for the details, I'll definitely look into your project. We might use a similar approach to what you did - thx again! |
Looking to gather thoughts on how best to ensure I'm not the critical blocker on further changes to this library.
Unfortunately a temporary burnout with PdfPig seems to be more or less permanent and I'd like to ensure the library is able to continue to evolve without my input. (this burnout is unrelated to money, this isn't a request for payment, I just need more time which unfortunately currency can't buy)
Obviously the risk of supply chain attacks makes this difficult. The recent XZ Utils attack shows there's a large risk in broadening contributor permissions for a project, even one which is only mildly successful.
Some approaches could be:
Interested to hear thoughts of those involved or who have done this before.
The text was updated successfully, but these errors were encountered: