Propose a software release process for Reich Lab packages #14
Conversation
| ensure that people won't need to create their own process every time). | ||
| - The recommended publication process gives the team control over the timing | ||
| and content of software releases. | ||
| - Attaching ourselves to the Hubverse process means that the Reich Lab doesn't |
There was a problem hiding this comment.
I expect that publishing to PyPI will unearth some nuances that aren't documented in the current Hubverse release process, because that documented is R-focused.
However, I'd propose that we submit PRs to the Hubverse guidelines rather than try to maintain our own version for the Lab.
There was a problem hiding this comment.
More or less agree with this. The process for publishing to CRAN requires more manual intervention and more back-and-forth, but it does not require any OAuth workflows, we will likely add a separate section of the guidelines to handle language-specific publishing.
There was a problem hiding this comment.
Makes sense. I added an issue to update the Hubverse docs once Cladetime is on PyPI (i.e., we know how to do it): hubverse-org/hubDocs#233
bsweger
requested review from
matthewcornell,
nickreich,
zkamvar,
elray1 and
lshandross
| To my knowledge, the Lab does not actively maintain any software packages on a | ||
| package index. |
There was a problem hiding this comment.
Several years ago, one of our students put this package on pypi: https://pypi.org/project/pymmwr/. We haven't touched or maintained it since then.
There was a problem hiding this comment.
Thanks for the link!
Do lab projects still use this package (dependabot flagged several security VULNs, including 6 classified as high severity: https://github.com/reichlab/pymmwr/security/dependabot)?
Does anyone besides the original author have maintainer status on PyPI?
I'll amend the text about "no prior art," but will frame it as "the prior art we have predates modern PyPI security practices like trusted publishers and predates GitHub actions as a way to automate publication"
There was a problem hiding this comment.
- I don't know of any current projects that use it, but it could be that we start using it some time. it's a useful tool
- probably no one else has maintainer status on PyPI
- sounds good r.e. amendment
|
I also don't have anything to add, this seems good to me. Particular things that seem good are:
|
| - This proposal concerns the mechanics and development process for published | ||
| packages; it does not cover how to determine if pursuing publication is | ||
| desirable. |
| ensure that people won't need to create their own process every time). | ||
| - The recommended publication process gives the team control over the timing | ||
| and content of software releases. | ||
| - Attaching ourselves to the Hubverse process means that the Reich Lab doesn't |
There was a problem hiding this comment.
More or less agree with this. The process for publishing to CRAN requires more manual intervention and more back-and-forth, but it does not require any OAuth workflows, we will likely add a separate section of the guidelines to handle language-specific publishing.
Co-authored-by: Zhian N. Kamvar <[email protected]>
@lshandross it would be great to add these to the hubDevs vignette. Could you open an issue in hubDevs? Also related is hubverse-org/hubDocs#233 |
I'm planning to publish Cladetime to PyPI and couldn't find any documented procedures for deploying Reich Lab software to package indexes like PyPI, CRAN, npm.