Comments (8)
Thanks both!
I feel like PRs like #386 which only touch docs files probably don't really require review.
I agree reviews aren't terribly important for docs-only changes, but there's still a benefit in having someone else take a look.
Note that requiring PR reviews does not meaningfully improve security posture (to be robust to single adversarial maintainer, you'd need to at least a) enforce previous approvals are invalidated by new commits, b) contributions by external contributors will need double approval).
I just enabled a setting that requires PRs and requires at least one review. GitHub also has a setting that requires review on the last pushed commit, which fixes your point b). It does not fix point a). We could fix that by requiring two (or more) reviews per PR, but I feel that is too inconvenient for development. (Any maintainer PR would need review from two other maintainers.)
from typing_extensions.
You can see who has commit access at python/typing_extensions/settings/access (if you are a maintainer).
(I think only repo admins can see that page; I'm a maintainer and it's a 404 for me)
from typing_extensions.
Overall this all sounds great; thanks for writing it up!
the release manager (in practice, me)
FWIW, I'd be happy to help out with releases :-)
We should ensure all code in the repo is reviewed. I would like to propose:
* Require reviews for all pull requests
This is the only part I have a slight qualm about. I feel like PRs like #386 which only touch docs files probably don't really require review. But PRs like that are rare enough that I think it'll probably be okay; I don't have a strong objection here.
from typing_extensions.
I think all of these are good. Note that requiring PR reviews does not meaningfully improve security posture (to be robust to single adversarial maintainer, you'd need to at least a) enforce previous approvals are invalidated by new commits, b) contributions by external contributors will need double approval).
I'm happy to both help out more with releases or also lose my release bit on PyPI, whatever we feel is best.
from typing_extensions.
The changes look good, and I'm happy to get less access (or no special access), unless a backup maintainer is useful.
from typing_extensions.
FWIW, on PyPI, we now have three admins (owners) and (in addition) three maintainers. Owners can do everything that maintainers can do. I'm okay with this setup. Not sure what the GitHub setup is yet.
from typing_extensions.
You can see who has commit access at https://github.com/python/typing_extensions/settings/access (if you are a maintainer). There's a few people there that we should probably retire.
from typing_extensions.
Status:
- We now have a Trusted Publishers workflow that successfully released the new release https://pypi.org/project/typing-extensions/4.12.0rc1/. The release process requires manual approval from one of a small set of trusted maintainers.
- We removed access from a few people who are no longer active.
- We turned on GitHub settings to require code review on all PRs.
- #403 adds a discussion of security to our docs.
We should also add a SECURITY.md
file.
from typing_extensions.
Related Issues (20)
- PEP-696: `AttributeError: attribute '__default__' of 'typing.ParamSpec' objects is not writable` on Python 3.13 HOT 4
- ParamSpec `_set_default` called from `ParamSpec.__new__` raises Attribute Error HOT 2
- Add an `override` decorator to a .pyi file HOT 8
- Add `inspect.get_annotations` backport
- Add `typing.get_type_hints` backport HOT 1
- Pylint raises error saying "default" isn't valid for TypeVar HOT 2
- Third-party tests failed on Sat Jun 01 2024 HOT 2
- `TypeError` on nested `Annotated`s with `typing_extensions==4.12.0`
- Third-party tests failed on Sun Jun 02 2024 HOT 2
- 4.12.1: `pyupgrade --py38-plus` generated patch causes pytest fails HOT 9
- Third-party tests failed on Mon Jun 03 2024 HOT 1
- Third-party tests failed on Thu Jun 06 2024 HOT 1
- Weird conflict between typing-extensions 4.12.1, xarray, dirty_equals on Python 3.8 HOT 2
- 4.12.2 creates an import bug HOT 2
- Add `typing_extensions.TypeExpr` HOT 4
- Third-party tests failed on Wed Jun 26 2024 HOT 1
- Third-party tests failed on Sat Jul 13 2024 HOT 1
- Third-party tests failed on Sun Jul 14 2024 HOT 3
- Third-party tests failed on Mon Jul 15 2024 HOT 1
- `typing_extensions.deprecated` and `warnings.deprecated` remove coroutine property; How to deprecate async functions? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from typing_extensions.