[New Feature]: Throw Validation-Domain when Github URLS don't strongly correlate to the PackageIdentifier #204673
Labels
Issue-Feature
Complex enough to require an in depth planning process and actual budgeted, scheduled work.
Comments
Trenly
added
the
Issue-Feature
microsoft-github-policy-service
bot
added
the
Needs-Triage
denelon
removed
the
Needs-Triage
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of the new feature/enhancement
For most packages that are hosted on GitHub, the PackageIdentifier is of the form
Organization.RepoNamewhere both the organization and the repo name have been normalized. For example,https://github.com/Example-Desktop/ExampleOnemay end up asExample.ExampleOnewhilehttps://github.com/Example-Two/Packagemay end up asExampleTwo.Package.In the current state of the pipelines, any GitHub URL seems to pass validation without
Validation-Domain, regardless of if they correlate to the package identifier. This means that a fork likehttps://github.com/denelon/Packagecould be submitted to the identifierTrenly.Packagewithout ever throwingValidation-Domain. Given the standards already set in the repository, and the need for correct attribution, this should not be allowed.Proposed technical implementation details (optional)
A new type of domain validation should be applied to GitHub URLs to ensure they point to a heuristically similar fork that the package identifier is claiming. Since it is possible for GitHub organizations to be renamed, or for there to be a genuine need for an identifier to not match the organization, there should be a way to apply a waiver.
It would be best if all GitHub URLs had to have a waiver which correlated the package identifier to a specific repository
The text was updated successfully, but these errors were encountered: