Conversation
Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
nedbat
left a comment
There was a problem hiding this comment.
A few tweaks to existing sentences, but I like it!
Co-authored-by: Ned Batchelder <ned@nedbatchelder.com>
index.rst
Outdated
| .. code-block:: shell | ||
|
|
||
| .. code-block:: shell | ||
| pre-commit install | ||
| pre-commit run --all-files |
There was a problem hiding this comment.
Are we OK with the security implications of recommending this for every contributor's machine?
cc @sethmlarson
There was a problem hiding this comment.
We're currently using tags as rev for our config, so that would allow any compromised pre-commit repo to instantly execute code by rewriting the tag on a repo. To mitigate this we could adopt using git commit SHAs instead of git tags in the rev field, I believe that pre-commit supports this use-case?
It's obviously an extra support burden to upgrade and maintain these, but it removes the risk of a single compromise to a repository elsewhere from allowing RCE on all contributor machines.
There was a problem hiding this comment.
To mitigate this we could adopt using git commit SHAs instead of git tags in the rev field, I believe that pre-commit supports this use-case?
Yes, by using --freeze with either of these commands:
prek autoupdate --freeze
pre-commit autoupdate --freezeThere was a problem hiding this comment.
I'll remove it from here for now, and open an issue when this is merged.
| Status of Python branches | ||
| ------------------------- |
There was a problem hiding this comment.
This is a “soft redirect” for people who have #status-of-python-branches bookmarked. Can we keep it?
There was a problem hiding this comment.
I think ~4 years is long enough.
Thinking of the old flow:
- Click my bookmark
- Taken to https://devguide.python.org/#status-of-python-branches
- Click "Moved to Status of Python versions"
- Taken to https://devguide.python.org/versions/#versions
If someone has still been going through all that rigmarole for 4 years and hasn't updated their bookmarks, I think removing this is a good prompt.
There was a problem hiding this comment.
I agree with Hugo, I'll remove it unless you feel strongly about keeping it.
We could add a redirect, but it would be quite messy, as such I don't think its worth it.
| Status of Python branches | ||
| ------------------------- |
There was a problem hiding this comment.
I think ~4 years is long enough.
Thinking of the old flow:
- Click my bookmark
- Taken to https://devguide.python.org/#status-of-python-branches
- Click "Moved to Status of Python versions"
- Taken to https://devguide.python.org/versions/#versions
If someone has still been going through all that rigmarole for 4 years and hasn't updated their bookmarks, I think removing this is a good prompt.
This moves a few sections around to been more introductory rather than jumping straight into the quickstart, drops less important/relevant sections to the bottom (i.e. the alternative implementations), removes the version section stub (it has been there for long enough), and updates a few little things along the way.