-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Review team #354
Comments
Updated first post with Workflow section. I previously mentioned the possibility of requiring proof of identification for being the Review team. That will not be required. |
do we check if the code builds? |
@phdsg You can if you'd like, but it doesn't bother me if I attempt to build a repo and it fails to compile. (The build breaking on one arch but not another is a common case that will be unavoidable to fully detect before attempting to make builds.) I'll just make a comment in the plugin's thread that it doesn't compile on arch XXX because of a particular reason, they'll fix it, update the submodule again, and I'll rebuild. To save the extra steps, you can try building, but it's not required. |
Thanks for the help so far guys! To organize team members, state your name and I'll list your username in the first post. |
@AndrewBelt does "branch" in .gitmodules have to point to the specific commit we checked out in the repo? |
When you enter a submodule directory and check out a particular commit, that commit is saved when committing in the parent repository. |
yea, that worked for the previous PRs i did. |
...yesterday I found out there were unused svgs, (with same names but different cap)...so I cleaned them out to avoid issues... After that commit I posted the hash here...#389 |
ah. this repo was already bumped to 0.6.1 before (but not yet made available)... |
anyways, for the future: how do we deal with situations like that @AndrewBelt ? |
Technically if a build hasn't been made yet (you can tell because |
ok, tried once more to update the moDllz repo...
after
|
When you |
|
Looks like your changes were successfully committed. If you enter the |
|
is this a capitalization thing? |
I think you're fine, right? Your local moDllz directory is out of sync which can be fixed with |
after
|
yeah, seems this is a moDllz vs moDLLz filename conflict... hate that about windows! |
Pinging people for #393 |
Yes...there was some mixed files with same name and different caps.. (sorry guys about this).. I cleaned them up, but kept the filename. |
@phdsg @mdemanett I've given you commit access so we can finally skip PRs. Remember to acknowledge that you've "reviewed" the changes in the commit message if updating a submodule. If someone would like to join the Review Team, send a few correct PRs following the Workflow in the first post, and I'll also give you commit access. |
does that mean we can work directly from a clone instead of the fork? |
Yup |
nice, should we do our edits on branches or just directly to master? |
Directly to master would be easiest for you. I'll occassionally review commits but mostly just trust that things are in order. |
still not sure how to solve #398 (comment) and whether adding the repo with deleted my community fork and local clone of it, replaced it with a fresh clone from here. |
@AndrewBelt on the TODO thing in the OP:
|
Could someone review the list of open plugin threads and make sure we've done all we can do with the review process? This is probably a good link to bookmark. https://github.com/VCVRack/community/issues?q=is%3Aissue+is%3Aopen+label%3Aplugin+sort%3Aupdated-desc |
I cleaned up a bit, closed a couple or commented. AS and Impromptu (as of just now) are ready to build. Bidoo remains outstanding on the build issue -- awaiting 0.6.1, I guess. It'd seem helpful in general to clarify what people can do to be compliant with the build system when they're using libraries. That's been the biggest headache with the process so far. Like, if hypothetically someone had a good reason to depend on libsamplerate, and wanted to be in the build system, how would they do it? |
As for libsamplerate, that library doesn't build on Linux using the cross compilers |
There's dead silence on the Facebook page about Plugin Manager sync issues.. which means this system is working well! I know how much effort it takes to review and curate these 116 plugins, so if you comment here with the best way to contact you privately, I'll grant your account all VCV-branded plugins, or $50 if you'd prefer for the past half-year in the VCV community. |
Cool, been meaning to try those. I'm at matt at demanett dot net. Thanks! |
Hey @AndrewBelt, sorry, I had missed the notification for message above from June 5th. My email is modular80 at gmail dot com. Thank you! |
Hey, this is the best place I could find to ask this: How is the open-source/closed-source thing working right now? I mean, how are closed-source plugins added to the community plugins, and how can they be verified as not being malicious in the absence of the source code? Let me know if there's a more appropriate place for this question/discussion, or somewhere it has been had before, thanks! |
@c50a326 If you're interested in publishing a closed source plugin, see https://github.com/VCVRack/community/blob/master/README.md#addingupdating-your-plugins-build-for-closed-source-free-and-commercial-plugins If you're interested in your own security as a user, VCV has government IDs on file before allowing submissions of unreviewed files. |
Just so everybody is aware of making changes after automation queuing a repo for review / build or up to date status. What are the proper procedures regarding this. There have been a few instances, recently and in the past, where the integrity of Rack have been compromised by updates. This is rare and not to point the finger at anyone, these things happen... What would be the best course of action for a Plugin Dev to take if there is a last minute bug or change? Would simply closing the issue then submitting a new build be the best way make sure a compromising commit does not make it through? |
Github issues are not connected to the build. We just use them to track the work to be done. As soon as I commit a version of a plugin to the repository, the next build run will pick it up. To prevent it from being picked up means that either myself or @AndrewBelt has to revert the commit in the library repository. Closing issues won't do anything, except cause potential confusion on our part. In general, the problem is one of quality control on the plugin developer's side. Developers should be submitting their plugin for release AFTER quality control has been done on their side. A lot of developers of open source plugins do this by posting pre-release versions in the forum, which is great. You get some runtime on your plugin and people can test before releasing it via official channels. Every one of those critical issues could have been prevented with a little more testing before submission. To answer your question: notifying us via Github issue, or better email, is probably the best course of action in a case like you described. Any thoughts on this, @AndrewBelt? |
Closing since the VCV Community forum is a more organized place for discussions. |
The Review team is responsible for updating and adding plugin source code to
repos/
, making sure the source code is not malicious.Workflow
Begin by checking this repo's issues for requests from plugin developers.
If someone requests an update to their build, first figure out what commit they're talking about in their source repo. Sometimes they'll mention a tag or branch or just say "the latest".
Next,
cd
intorepos/<their plugin>
andgit pull
,git checkout <tag>
, or do whatever it takes to get the source they want into the submodule.Then most importantly, review the source code for alarming stuff like
system()
calls, networking, modifying files, running stuff in the background, and anything else creative that someone can do. It's just as important to review their Makefile.A "review" simply means gliding your eyes over the source code, or
git diff
in your terminal between the current commit and the last state of the submodule. TODO: What's a git command to compare the submodule'sHEAD
with the submodule'sHEAD
of the previouscommunity
commit?If all is good, set
"repoVersion"
in the plugin's manifest JSON file to the VERSION string specified in the plugin's Makefile.Don't change
"latestVersion"
or"status"
in the manifest.Finally, make a commit, and send a pull request (if you don't yet have VCV community access). In your commit message, say "reviewed" somewhere to acknowledge that the commit only contains reviewed source code.
Members
The text was updated successfully, but these errors were encountered: