Open ghsa-retrieval opened 2 weeks ago
@ghsa-retrieval this is a very clear report. I like your option 1 very much. And this has been the purpose of components all the way. Some historical perspective is that we used to have only products and components before we got packages. @DennisClark feedback welcomed!
@ghsa-retrieval thanks very much for the excellent suggestion. I agree with @pombredanne that your option 1 is the best way to go. The only challenge will be fitting this enhancement into our current roadmap -- updates on that to follow.
@ghsa-retrieval Re: " I'm also not entirely sure why the package associated with components seem to be handled differently with regard to permissions when compared to products. Components seem to be fairly locked off and only editable by the data admins." The Django admin screens are the primary mode for editing Products, Packages or Components so there is not much difference there. Access to specific functions is controlled by user Groups which are configurable. Products have some additional access controls to support use cases with multiple independent product teams vs the use case for components or packages as more general purposes datasets.
Is your enhancement request related to a problem? Please describe. It can happen that a software is both released as a standalone product A and simultaeously as part of a bigger product B. Ideally the package dependencies would not have to be added and reviewed for the product B a second time, but rather product A can be included in product B.
What are the benefits of the requested enhancement?
Describe the solution you would like
Additional notes I have asked about this on gitter and was directed to the issue tracker. I may have misunderstandings what components should be used for so apologies if the suggestion goes against the intended design. I'm also not entirely sure why the package associated with components seem to be handled differently with regard to permissions when compared to products. Components seem to be fairly locked off and only editable by the data admins.