Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Feature]: Allow packages submitted by Verified Publishers to be automatically merged #89190

Open
gerardog opened this issue Nov 18, 2022 · 3 comments
Labels
Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work.

Comments

@gerardog
Copy link
Contributor

gerardog commented Nov 18, 2022

Description of the new feature/enhancement

When certain conditions are met, allow automatic merge of PRs.
This would be somewhat-analogue to add moderators but restricted for specific packages.

Proposed technical implementation details (optional)

Possible rules:

  • If the software vendor is pushing a new version, automatically merge the PR.
    • Could exist as an explicit whitelist text file: UserA --can add packages for manifest--> PackageId.1
      • Whitelists can be protected by CODEOWNERS or similar.
    • For packages hosted on GitHub, it could be inferred either:
      • from Manifest Id. IE: Manifest id UserA.packageB can be updated by user UserA
      • from download url: github.com/user/repo/releases/....
@gerardog gerardog added the Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work. label Nov 18, 2022
@ghost ghost added the Needs-Triage This work item needs to be triaged by a member of the core team. label Nov 18, 2022
@Trenly
Copy link
Contributor

Trenly commented Nov 19, 2022

I disagree fundamentally. Moderation serves not only to validate that the application installs correctly, but also that the metadata is accurate, the installer fields allow for winget to detect the version accurately, that no PUAs are installed with the application, that no dependencies are needed at runtime (which isn’t always caught by the pipelines), etc.

I do agree that Verified Publishers is a needed feature, but I don’t think that it should bypass the need for moderation.

Take for example PolyMC, where the developer went rogue. If the developer were allowed to bypass the moderation step, it could have potentially caused issues for anyone using PolyMC installed through winget.

The validation pipelines are great, but they can’t catch every potential issue, which is why the manual review by a moderator is a necessary step

@gerardog gerardog changed the title [New Feature]: Do not require moderation / Automatic Merge of PRs [New Feature]: Allow packages submitted by Verified Publishers to be automatically merged Nov 19, 2022
@gerardog
Copy link
Contributor Author

@Trenly: I may have described the proposal poorly. I edited to clarify. But please use charitable interpretation. I was trying to describe Verified Publishers, not the removal of moderation.

I do agree that Verified Publishers is a needed feature, but I don’t think that it should bypass the need for moderation.

What flavor of Verified Publishers do you agree with? How does it affect moderation/merge of PRs ?

The validation pipelines are great, but they can’t catch every potential issue

I agree, but moderation neither. AFAICT your example PolyMC, was not filtered by moderation. And, it's not the point. but a moderator could go rogue too. Publishers who want to go rogue, don't need promotion as a Verified Publisher. For example, PolyMC.

Then other points you mentioned, every publisher wants a valid, working package, accurate metadata, etc. You may not promote to Verified Publisher someone who doesn't has a know history of proper publishing.

@denelon
Copy link
Contributor

denelon commented Nov 21, 2022

This is the intent behind:

We've got a version of it tested, but we're still having to hold off on the business process. We've also been discussing criteria for automated approval.

@denelon denelon removed the Needs-Triage This work item needs to be triaged by a member of the core team. label Nov 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Issue-Feature Complex enough to require an in depth planning process and actual budgeted, scheduled work.
Projects
None yet
Development

No branches or pull requests

3 participants