From 9cab20e62157bc9e93f6f6c25d91e0b9a562cd72 Mon Sep 17 00:00:00 2001 From: Faye Amacker <33205765+fxamacker@users.noreply.github.com> Date: Sun, 13 Aug 2023 13:34:54 -0500 Subject: [PATCH] Update CONTRIBUTING.md (#423) Cleanup for v2.5.0. --- CONTRIBUTING.md | 39 +++++++++++---------------------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 56c565dd..de0965e1 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,33 +1,26 @@ # How to contribute -Here are some ways you can contribute: +You can contribute by using the library, opening issues, or opening pull requests. -- Give this library a star on GitHub. It doesn't cost anything and it lets maintainers know you appreciate their work. -- Use this library in your project. By using this library, you're more likely to open an issue with feature request, etc. -- Report security vulnerabilities privately by email after reading this contributing guide and [Security Policy](https://github.com/fxamacker/cbor#security-policy). -- Open an issue with a feature request. It can help prioritize issues if you provide a link to your project and mention if a missing feature prevents your project from using this library. -- Open an issue with a bug report. It's helpful if the bug report includes a link to a reproducer at [Go Playground](https://go.dev/play/). -- Open a PR that would close a specific issue. Ask if it's a good time to open a PR in the issue because a solution might already be in progress. Please also read about the signing requirements before spending time on a PR. +## Bug reports and security vulnerabilities -If you'd like to contribute code or send CBOR data, please read on (it can save you time!) - -## Private reports - -Usually, all issues are tracked publicly on [GitHub](https://github.com/fxamacker/cbor/issues). +Most issues are tracked publicly on [GitHub](https://github.com/fxamacker/cbor/issues). To report security vulnerabilities, please email faye.github@gmail.com and allow time for the problem to be resolved before disclosing it to the public. For more info, see [Security Policy](https://github.com/fxamacker/cbor#security-policy). -Please do not send data that might contain personally identifiable information, even if you think you have permission. That type of support requires payment and a contract where I'm indemnified, held harmless, and defended for any data you send to me. +Please do not send data that might contain personally identifiable information, even if you think you have permission. That type of support requires payment and a signed contract where I'm indemnified, held harmless, and defended by you for any data you send to me. ## Pull requests -Pull requests have signing requirements and must not be anonymous. Exceptions can be made for docs and CI scripts. +Please [create an issue](https://github.com/fxamacker/cbor/issues/new/choose) before you begin work on a PR. The improvement may have already been considered, etc. -See our [Pull Request Template](https://github.com/fxamacker/cbor/blob/master/.github/pull_request_template.md) for details. +Pull requests have signing requirements and must not be anonymous. Exceptions are usually made for docs and CI scripts. -Please [create an issue](https://github.com/fxamacker/cbor/issues/new/choose), if one doesn't already exist, and describe your concern. You'll need a [GitHub account](https://github.com/signup/free) to do this. +See the [Pull Request Template](https://github.com/fxamacker/cbor/blob/master/.github/pull_request_template.md) for details. -If you submit a pull request without creating an issue and getting a response, you risk having your work unused because the bugfix or feature was already done by others and being reviewed before reaching Github. +Pull requests have a greater chance of being approved if: +- it does not reduce speed, increase memory use, reduce security, etc. for people not using the new option or feature. +- it has > 97% code coverage. ## Describe your issue @@ -40,17 +33,7 @@ Clearly describe the issue: Please don't send data containing personally identifiable information, even if you think you have permission. That type of support requires payment and a contract where I'm indemnified, held harmless, and defended for any data you send to me. -Please don't send CBOR data larger than 512 bytes. If you want to send crash-producing CBOR data > 512 bytes, please get my permission before sending it to me. - -## Wanted - -* Opening issues that are helpful to the project -* Using this library in your project and letting me know -* Sending well-formed CBOR data (<= 512 bytes) that causes crashes (none found yet). -* Sending malformed CBOR data (<= 512 bytes) that causes crashes (none found yet, but bad actors are better than me at breaking things). -* Sending tests or data for unit tests that increase code coverage (currently around 98%) -* Pull requests with small changes that are well-documented and easily understandable. -* Sponsors, donations, bounties, or subscriptions. +Please don't send CBOR data larger than 1024 bytes by email. If you want to send crash-producing CBOR data > 1024 bytes by email, please get my permission before sending it to me. ## Credits