Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new code pushed to main branch? #182

Closed
illume opened this issue Jan 24, 2025 · 7 comments
Closed

new code pushed to main branch? #182

illume opened this issue Jan 24, 2025 · 7 comments
Labels
question

Comments

@illume
Copy link

illume commented Jan 24, 2025
edited
Loading

It looks like a big commit was just pushed to the main branch without a PR.

Seems it's a bunch of commits together from a fork somewhere?
@illume illume added the bug label Jan 24, 2025
@jaitaiwan jaitaiwan added question and removed bug labels Jan 24, 2025
@jaitaiwan
Copy link

What do you mean by big commit? It's 3 files. Or bunch of commits it's a single commit? Maintainers will often push directly to the branch ourselves where required. You see the same thing on many other gorilla repos. Eventually there will be a release which will include this change and whatever others we merge or push.

@illume
Copy link
Author

illume commented Jan 24, 2025

I wondered about a commit pushed to main by a new contributor is all. I wrongly assumed code review would be done via PR because I saw an OpenSSF best practices badge.

cc @coreydaley

@coreydaley
Copy link
Contributor

Only because I was tagged by @illume I will weigh in.
All contributed code SHOULD be a pull request so that it can be reviewed by the community, unless it fixes an embargoed CVE. I am not up-to-date on the circumstances surrounding this commit.

Since this user (@patrickod) is also a first time contributor it does seem a bit weird and suspicious. Maybe that user can weigh in on the circumstances surrounding this contribution?

@illume
Copy link
Author

illume commented Feb 17, 2025

Since the commit wasn't reviewed in a PR, would you accept a PR reverting it?

@jaitaiwan
Copy link

Can you refer me to where in the best practices it is a MUST to have a PR for the review? I struggled to find anywhere that would enforce it

Considering the team has not yet done a release around this commit yet, I think you can pretty easily determine the why for this commit.

@illume
Copy link
Author

illume commented Feb 18, 2025

Like mentioned above, all code should be contributed by pull request…

https://github.com/gorilla/.github/blob/ccd01604dd05f1f9ba58bf6c5cad19b3fb0cfaa4/CONTRIBUTING.md#all-code-changes-happen-through-pull-requests

@jaitaiwan
Copy link

Okay so you're only going off the contributing guide got it. So let me think through this for you... if the contributing guide says "commit a PR" and there's no visible PR that a commit has come from... then it must be.... an embargoed CVE 🥇

Therefore if it's embargoed the maintainers can't talk about it.

Honestly this is just about the silliest thing I've had the pleasure of dealing with in Open Source so far. There's a thorough explanation of the commit in the commit message and it's 3 files so it's not like it's hard to read it yourself to deduce this. Nor is it any less transparent than if it had gone through a public PR process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@illume @jaitaiwan @coreydaley