Open bearbin opened 8 years ago
What about Travis though? They ask for repo hook access, and more. And we can invite people to examine the sources, etc.
we can invite people to examine the sources
And how would these people verify that the source we present is the source that is actually running?
What about travis?
Well, we're not travis, so it isn't relevant. We should aim to lower barriers as far as we can.
You could say that then about all supposedly "open source" web services. If you couldn't trust a plugin repository to create and delete hooks, might as well not use it.
I'm not sure if OAuth scopes are fine enough to go down to repository level; it's either all repositories or all organisations' repostiories' hooks, and if anything, asking people to add it manually is more of a barrier to submission.
We could do some gymnastics to request more scope when someone wants to add a plugin.
Only ask for permissions for individual repositories, or get users to add hooks manually.