This is Alpha 2 Software. You can test the process and download content, but releases must still be committed by hand to svn:dist/release (see svn-dist Transition Plan 1B).

3.10 Code policies

Up: 3. Developer guide

Prev: 3.9. Code conventions

Next: 3.11. How to contribute

Sections:

Introduction

These policies cover security and other miscellaneous policies that describe how our code works.

Data

  • All data stored in ATR must be public readable with the exception of PAT hashes and PII.

Tasks

  • Secret values must never be passed to tasks. This ensures that Task objects and results can be considered public.

Dependencies

  • Every .pth file installed into the project's virtual environment must appear in the allowlist of scripts/check_pth_files.py, enforced by make sync and pre-commit, because Python executes their import lines on every interpreter startup and they are a known supply-chain attack vector.