Open oxinabox opened 2 months ago
TL;DR: to decrease maintenance burden.
Trust issues are from the copier side. To execute commands in the generated repo, you have to use --trust
or --unsafe
on copier.
For new packages, we could run git commands from the Julia side to create the repo, but I've been trying to keep it light (maintenance). From your experience, does it involves many corner cases?
Also, pre-commit
should be run (when added) between some git commands, so in addition to running git
commands, we would need to run pre-commit
as well, which adds more corner cases.
For existing packages, the user has to look at the result and decide what to add/restore, so no automatic commands.
Thanks for the question and let me know what you think of the reasoning.
I guess my question then becomes why does this involve more trust for copier
?
Maybe we can just always run copier with those flags?
I haven't found that git has caused much maintainance burden I think this is the only one I personally have hit: https://github.com/JuliaCI/PkgTemplates.jl/issues/327 And browsing the others: https://github.com/JuliaCI/PkgTemplates.jl/issues?q=is%3Aissue+git I can't remember any being too burdensome. Nothing has forced me to look at the code for this, so I don't actually know how it works. Which itself is an argument for it not being too bad
When you run copier copy URL here/
, you are implicitly trusting copier
, but not the template in URL
, so you don't run the tasks that the URL template defines by default. Trusting in this context means allowing the tasks in URL to run.
Here we mix both, since the template is also the package.
I'm still on the fence, but we can split into two issues:
I'm not picking this up right now, but for someone wanting to pick up 1, I think the following is needed:
Description
The docs say:
What are these trust issues? (I am already running arbitrary code that is in this package after all)