From d528045c83bd0704b9a13e887cdf2007cbc88ec7 Mon Sep 17 00:00:00 2001 From: wlandau Date: Sun, 17 Nov 2024 13:00:32 -0500 Subject: [PATCH 01/18] Edit review policy --- review.md | 115 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 70 insertions(+), 45 deletions(-) diff --git a/review.md b/review.md index 86bea44..68ed241 100644 --- a/review.md +++ b/review.md @@ -2,48 +2,73 @@ title: "Review Policy" --- -As the [contributors](contributors.md) page explains, updates to the R-multiverse package listings come from pull requests to from members of the R community. In the vast majority of cases, a GitHub app automatically merges the pull request. However, some pull requests need to be manually reviewed by an R-multiverse moderator. This document describes this manual review process. The goals are to: - -1. Ensure that all pull requests are reviewed using a consistent set of standards and principles that do not vary according to moderator. -2. Ensure these standards and principles are clear and transparent for the R community. - -## The automated review process - -The [`review.yaml`](https://github.com/r-multiverse/community/blob/main/.github/workflows/review.yaml) [GitHub Actions](https://docs.github.com/en/actions/learn-github-actions/understanding-github-actions) workflow runs periodically and reviews each new open pull request using [`multiverse.internals::review_pull_requests()`](https://github.com/r-multiverse/multiverse.internals/blob/main/R/review_pull_requests.R). Depending on the results of the automated checks, the bot will automatically merge the pull request, close it, or flag it for manual review. The bot will post an informative comment explaining the decision, and it may add a GitHub label to the pull request for triage purposes. - -The pull request is automatically closed if: - -1. It attempts to add/modify/delete a file outside the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder. -1. It attempts to add/modify/delete a file in a subdirectory of the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder. - -The pull request is automatically flagged for manual review if: - -1. The latest commit was not [created by the GitHub web interface](https://r-multiverse.org/contributors.html). -1. It attempts to modify or delete any existing file in [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages). -1. A contributed text file is not a single-line file. -1. The text file looks like a custom JSON entry (for packages in a subdirectory of a GitHub repository). -1. The name of the the text file is not a valid R package name. -1. The URL in the text file cannot be parsed. -1. The URL scheme is anything other than HTTPS. -1. The domain of the URL is anything other than github.com or gitlab.com. -1. The URL points to an organization or user such as rather than a repository such as . -1. The URL does not exist or is not online at the time it is checked (HTTP error trying to access it). -1. A [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases) could not be found at the repo in the URL. -1. The version-controlled repository name in the URL is different from the name of the file. (For example, if the file is named `gh` as the package, then the URL would be flagged for manual review, but would not.) -1. The repository is part of the CRAN mirror at . -1. The package is also on CRAN, and the URL in the pull request cannot be found in the `DESCRIPTION` file of the latest CRAN release. - -## The manual review process - -If a pull request is flagged for manual review, an R-multiverse moderator will read the pull request and ask questions if necessary. Although the moderator may make optional suggestions on a case-by-case basis, package reviews must be consistent, reliable, and inclusive whenever possible. The decision to close or merge the pull request must be based exclusively on the following pre-defined list of requirements: - -1. Each contribution must comply with the [code of conduct](conduct.md). Examples of prohibited content include profanity, malicious behavior, security risks, copyright violations, and other conduct which could reasonably be considered inappropriate in a professional setting. All this applies to the package, the URL, any other metadata in the contribution, and the contents of the package itself. -1. The package name, URL, and all other metadata must be complete and correct. -1. Each text file must apply to only one package. -1. The text file name must be the name of the package. -1. For JSON listings, the `"branch"` field must be `"*release"` (except in specific predetermined cases such as packages in ), the `"subdirectory"` field must be supplied and exist, the `"url"` field must exist and be correct, and the `"package"` field must agree with the name of the text file. -1. Each contributed URL must point to an existing GitHub or GitLab repository. -1. The URL must be the true/official location of the source code or a faithful mirror of the true location. The package maintainers have the authority to choose the URL. Unofficial or unsupported forks should not be included. The moderator must use discretion on a case-by-case basis because sometimes a fork becomes the true version (e.g. if the original maintainer abandons a package and becomes unreachable indefinitely). -1. The URL must have a release on GitHub or GitLab so R-universe can process the package without error. As a last resort, if the maintainer does not provide their own releases, a repository from the CRAN mirror at may be registered. -1. If the listing of an existing package is modified, then the moderator must verify that the new information is complete and correct. In many cases, it may be necessary to obtain permission from the package maintainer. -1. The reasons for deleting a package listing may vary on a case-by-case basis. The moderator must carefully consider the impact that deletion would have on the community and on reverse dependencies. In many cases, it may be necessary to obtain permission from the package maintainer. +This policy dictates the process by which R-multiverse reviews and accepts contributed R packages. +All contributions must comply with R-multiverse policies, including but not limited to [Acceptable Use](https://r-multiverse.org/aup.html), [Terms of Use](https://r-multiverse.org/terms.html), and [Code of Conduct](https://r-multiverse.org/conduct.html). + +## How review works + +When it reviews a [new pull request](https://github.com/r-multiverse/contributions/pulls), the bot makes one of three choices: + +1. Merge the pull request to accept the contribution. +2. Close the pull request to reject the contribution. +3. Flag the pull request for manual review by a [moderator](https://r-multiverse.org/governance.html#moderator). + +## Automatic acceptance + +The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls): + +1. Was [created by the GitHub web interface](https://r-multiverse.org/contributors.html). +1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages). +1. Does not add, modify, or delete any other files in . + +and if each new [contributed listing](https://github.com/r-multiverse/contributions/tree/main/packages): + +1. Is a single line of text with a valid HTTPS URL. +1. Points to an existing public GitHub/GitLab repository. + +and if the contributed GitHub/GitLab repository: + +1. Includes an R package at the top level whose package name is the same as the repository name. +1. Includes a license from the "Recommended licenses" section at the end of this policy. +1. Includes a GitHub/GitLab [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases). +1. Is not part of the CRAN mirror at . +1. Is mentioned in the `URL` field its CRAN page (if on CRAN). + +and if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): + +1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . + +In addition, the GitHub/GitLab repository owner must consent to contribute the repository to R-multiverse. Any of the following is sufficient evidence of consent: + +1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is the GitHub owner of the repository. +1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of the GitHub organization that owns the repository. +1. The `URL` field of the package `DESCRIPTION` file points to an R-multiverse URL (for example, or ). + +## Automatic rejection + +The bot automatically rejects [pull requests](https://github.com/r-multiverse/contributions/pulls) which attempt to: + +1. Add/modify/delete files outside the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder, or +1. Add/modify/delete files in a subdirectory of the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder. + +## Manual review + +R-multiverse [moderators](https://r-multiverse.org/governance.html#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. +The [moderator](https://r-multiverse.org/governance.html#moderator) inspects the package for compliance with R-multiverse policies, including but not limited to [Acceptable Use](https://r-multiverse.org/aup.html), [Terms of Use](https://r-multiverse.org/terms.html), and [Code of Conduct](https://r-multiverse.org/conduct.html). +The moderator accepts the contribution if and only if it complies with all policies. + +## Recommended licenses + +The [Acceptable Use Policy](https://r-multiverse.org/aup.html) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". +In practice, this implies each package must have a valid open-source license. +The following is a list of valid open-source licenses that the bot automatically accepts during reviews: + +* [Artistic 2.0](https://opensource.org/license/artistic-2-0) +* [BSD 2-Clause](https://opensource.org/license/bsd-2-clause) +* [BSD 3-Clause](https://opensource.org/license/bsd-3-clause) +* [GPL-2](https://opensource.org/license/gpl-2-0) +* [GPL-3](https://opensource.org/license/gpl-3-0) +* [LGPL-2](https://opensource.org/license/lgpl-2-0) +* [LGPL-2.1](https://opensource.org/license/lgpl-2-1) +* [LGPL-3](https://opensource.org/license/lgpl-3-0) +* [MIT](https://opensource.org/license/mit) From b6666665bf60c0ea5a58b9292cb40e75b0409dee Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 10:34:46 -0500 Subject: [PATCH 02/18] Remove automatic rejection (what a PR updates the org list?) --- review.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/review.md b/review.md index 68ed241..ba373f6 100644 --- a/review.md +++ b/review.md @@ -10,15 +10,14 @@ All contributions must comply with R-multiverse policies, including but not limi When it reviews a [new pull request](https://github.com/r-multiverse/contributions/pulls), the bot makes one of three choices: 1. Merge the pull request to accept the contribution. -2. Close the pull request to reject the contribution. -3. Flag the pull request for manual review by a [moderator](https://r-multiverse.org/governance.html#moderator). +2. Flag the pull request for manual review by a [moderator](https://r-multiverse.org/governance.html#moderator). ## Automatic acceptance The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls): 1. Was [created by the GitHub web interface](https://r-multiverse.org/contributors.html). -1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages). +1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages) and makes no other changes to any files. 1. Does not add, modify, or delete any other files in . and if each new [contributed listing](https://github.com/r-multiverse/contributions/tree/main/packages): @@ -44,13 +43,6 @@ In addition, the GitHub/GitLab repository owner must consent to contribute the r 1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of the GitHub organization that owns the repository. 1. The `URL` field of the package `DESCRIPTION` file points to an R-multiverse URL (for example, or ). -## Automatic rejection - -The bot automatically rejects [pull requests](https://github.com/r-multiverse/contributions/pulls) which attempt to: - -1. Add/modify/delete files outside the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder, or -1. Add/modify/delete files in a subdirectory of the [`packages`](https://github.com/r-multiverse/contributions/tree/main/packages) folder. - ## Manual review R-multiverse [moderators](https://r-multiverse.org/governance.html#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. From fc8e265b9025eb21eaf5fba629916465b8815ad4 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:15:56 -0500 Subject: [PATCH 03/18] link format --- review.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/review.md b/review.md index ba373f6..54b8dc1 100644 --- a/review.md +++ b/review.md @@ -3,20 +3,20 @@ title: "Review Policy" --- This policy dictates the process by which R-multiverse reviews and accepts contributed R packages. -All contributions must comply with R-multiverse policies, including but not limited to [Acceptable Use](https://r-multiverse.org/aup.html), [Terms of Use](https://r-multiverse.org/terms.html), and [Code of Conduct](https://r-multiverse.org/conduct.html). +All contributions must comply with R-multiverse policies, including but not limited to [Acceptable Use](aup.md), [Terms of Use](terms.md), and [Code of Conduct](conduct.md). ## How review works When it reviews a [new pull request](https://github.com/r-multiverse/contributions/pulls), the bot makes one of three choices: 1. Merge the pull request to accept the contribution. -2. Flag the pull request for manual review by a [moderator](https://r-multiverse.org/governance.html#moderator). +2. Flag the pull request for manual review by a [moderator](governance.md#moderator). ## Automatic acceptance The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls): -1. Was [created by the GitHub web interface](https://r-multiverse.org/contributors.html). +1. Was [created by the GitHub web interface](contributors.md). 1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages) and makes no other changes to any files. 1. Does not add, modify, or delete any other files in . @@ -45,13 +45,13 @@ In addition, the GitHub/GitLab repository owner must consent to contribute the r ## Manual review -R-multiverse [moderators](https://r-multiverse.org/governance.html#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. -The [moderator](https://r-multiverse.org/governance.html#moderator) inspects the package for compliance with R-multiverse policies, including but not limited to [Acceptable Use](https://r-multiverse.org/aup.html), [Terms of Use](https://r-multiverse.org/terms.html), and [Code of Conduct](https://r-multiverse.org/conduct.html). +R-multiverse [moderators](governance.md#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. +The [moderator](governance.md#moderator) inspects the package for compliance with R-multiverse policies, including but not limited to [Acceptable Use](aup.md), [Terms of Use](terms.md), and [Code of Conduct](conduct.md). The moderator accepts the contribution if and only if it complies with all policies. ## Recommended licenses -The [Acceptable Use Policy](https://r-multiverse.org/aup.html) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". +The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". In practice, this implies each package must have a valid open-source license. The following is a list of valid open-source licenses that the bot automatically accepts during reviews: From 95dd3238a96f4fe4eb6bf7be8ea5b82599fc8613 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:28:29 -0500 Subject: [PATCH 04/18] Update review.md --- review.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/review.md b/review.md index 54b8dc1..99edfab 100644 --- a/review.md +++ b/review.md @@ -37,10 +37,9 @@ and if the author of the [pull request](https://github.com/r-multiverse/contribu 1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . -In addition, the GitHub/GitLab repository owner must consent to contribute the repository to R-multiverse. Any of the following is sufficient evidence of consent: +In addition, the GitHub/GitLab repository owner must consent to contribute the repository to R-multiverse. Either of the following is sufficient evidence of consent: 1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is the GitHub owner of the repository. -1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of the GitHub organization that owns the repository. 1. The `URL` field of the package `DESCRIPTION` file points to an R-multiverse URL (for example, or ). ## Manual review From 6650d559ac6d154f968c778ddf917048f34b7562 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 11:57:29 -0500 Subject: [PATCH 05/18] Update review.md --- review.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/review.md b/review.md index 99edfab..8b563b9 100644 --- a/review.md +++ b/review.md @@ -37,22 +37,26 @@ and if the author of the [pull request](https://github.com/r-multiverse/contribu 1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . -In addition, the GitHub/GitLab repository owner must consent to contribute the repository to R-multiverse. Either of the following is sufficient evidence of consent: - -1. The author of the [pull request](https://github.com/r-multiverse/contributions/pulls) is the GitHub owner of the repository. -1. The `URL` field of the package `DESCRIPTION` file points to an R-multiverse URL (for example, or ). - ## Manual review R-multiverse [moderators](governance.md#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. The [moderator](governance.md#moderator) inspects the package for compliance with R-multiverse policies, including but not limited to [Acceptable Use](aup.md), [Terms of Use](terms.md), and [Code of Conduct](conduct.md). The moderator accepts the contribution if and only if it complies with all policies. +## Removal + +R-multiverse may remove a package from its own repositories at any time if the package violates R-multiverse policies. + +## Modification + +No R-multiverse staff member (administrator, moderator, or otherwise) may modify a package in R-multiverse without the explicit consent of the owners declared in the license of the package. + ## Recommended licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". -In practice, this implies each package must have a valid open-source license. -The following is a list of valid open-source licenses that the bot automatically accepts during reviews: +In practice, this means each package must have a valid open-source license. +The following is a list of valid open-source licenses that the bot automatically accepts during reviews. +If the package includes one of the license below, it implies that the authors consent to distribute the package in R-multiverse. * [Artistic 2.0](https://opensource.org/license/artistic-2-0) * [BSD 2-Clause](https://opensource.org/license/bsd-2-clause) From a77dd36a0dc20b1d4e5ac3bba476a6ac4802c52d Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:35:37 -0500 Subject: [PATCH 06/18] Update review.md --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index 8b563b9..7064657 100644 --- a/review.md +++ b/review.md @@ -17,7 +17,7 @@ When it reviews a [new pull request](https://github.com/r-multiverse/contributio The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls): 1. Was [created by the GitHub web interface](contributors.md). -1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages) and makes no other changes to any files. +1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages). 1. Does not add, modify, or delete any other files in . and if each new [contributed listing](https://github.com/r-multiverse/contributions/tree/main/packages): From 73d511d58e882590255121a1f5bf60a129a1c6dd Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:36:54 -0500 Subject: [PATCH 07/18] Update review.md --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index 7064657..8aab9ba 100644 --- a/review.md +++ b/review.md @@ -31,7 +31,7 @@ and if the contributed GitHub/GitLab repository: 1. Includes a license from the "Recommended licenses" section at the end of this policy. 1. Includes a GitHub/GitLab [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases). 1. Is not part of the CRAN mirror at . -1. Is mentioned in the `URL` field its CRAN page (if on CRAN). +1. Is mentioned in the `URL` field its CRAN page (if a package with the same name is on CRAN). and if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): From 3610974107f7fbd4bb285b020de79f085947ed2e Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:37:30 -0500 Subject: [PATCH 08/18] Update review.md --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index 8aab9ba..1d5c739 100644 --- a/review.md +++ b/review.md @@ -31,7 +31,7 @@ and if the contributed GitHub/GitLab repository: 1. Includes a license from the "Recommended licenses" section at the end of this policy. 1. Includes a GitHub/GitLab [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases). 1. Is not part of the CRAN mirror at . -1. Is mentioned in the `URL` field its CRAN page (if a package with the same name is on CRAN). +1. Is mentioned in the `URL` field of the corresponding CRAN page (if a package with the same name is on CRAN). and if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): From 41806f61d933998da82854fbb460e462d2ebb445 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:16:02 -0500 Subject: [PATCH 09/18] Update review.md --- review.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/review.md b/review.md index 1d5c739..6dfbf3f 100644 --- a/review.md +++ b/review.md @@ -27,11 +27,15 @@ and if each new [contributed listing](https://github.com/r-multiverse/contributi and if the contributed GitHub/GitLab repository: +1. Includes a GitHub/GitLab [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases). 1. Includes an R package at the top level whose package name is the same as the repository name. +1. Is listed in the `URL` field of the corresponding CRAN page (if a package with the same name is on CRAN). + +and if the R package: + 1. Includes a license from the "Recommended licenses" section at the end of this policy. -1. Includes a GitHub/GitLab [release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases). +1. Does not have an advisory in the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). 1. Is not part of the CRAN mirror at . -1. Is mentioned in the `URL` field of the corresponding CRAN page (if a package with the same name is on CRAN). and if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): From 98cbbb6193052bf39cab16bb1517c794d76f3d15 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:17:54 -0500 Subject: [PATCH 10/18] Update review.md --- review.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/review.md b/review.md index 6dfbf3f..b264d90 100644 --- a/review.md +++ b/review.md @@ -14,7 +14,11 @@ When it reviews a [new pull request](https://github.com/r-multiverse/contributio ## Automatic acceptance -The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls): +The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls) author: + +1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . + +and the [pull request](https://github.com/r-multiverse/contributions/pulls) itself: 1. Was [created by the GitHub web interface](contributors.md). 1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages). @@ -37,10 +41,6 @@ and if the R package: 1. Does not have an advisory in the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). 1. Is not part of the CRAN mirror at . -and if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): - -1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . - ## Manual review R-multiverse [moderators](governance.md#moderator) review [pull requests](https://github.com/r-multiverse/contributions/pulls) that the bot flags for manual review. From 6d529d24cf480025dc0c9c41a0f4a80714920270 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Mon, 18 Nov 2024 15:19:09 -0500 Subject: [PATCH 11/18] Update review.md --- review.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/review.md b/review.md index b264d90..bf30f82 100644 --- a/review.md +++ b/review.md @@ -14,11 +14,11 @@ When it reviews a [new pull request](https://github.com/r-multiverse/contributio ## Automatic acceptance -The bot automatically accepts the contribution if the [pull request](https://github.com/r-multiverse/contributions/pulls) author: +The bot automatically accepts the contribution if the author of the [pull request](https://github.com/r-multiverse/contributions/pulls): 1. Is a [public member](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-membership-in-organizations/publicizing-or-hiding-organization-membership) of one of the trusted [GitHub organizations](https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/about-organizations) listed at . -and the [pull request](https://github.com/r-multiverse/contributions/pulls) itself: +and if the [pull request](https://github.com/r-multiverse/contributions/pulls) itself: 1. Was [created by the GitHub web interface](contributors.md). 1. Adds new contributed listings to the [`packages` folder](https://github.com/r-multiverse/contributions/tree/main/packages). From bb1febc2ed627c83855aa85bf401743b0303231c Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:09:01 -0500 Subject: [PATCH 12/18] Update review.md Co-authored-by: Charlie Gao <53399081+shikokuchuo@users.noreply.github.com> --- review.md | 1 + 1 file changed, 1 insertion(+) diff --git a/review.md b/review.md index bf30f82..0e1f9ab 100644 --- a/review.md +++ b/review.md @@ -62,6 +62,7 @@ In practice, this means each package must have a valid open-source license. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. If the package includes one of the license below, it implies that the authors consent to distribute the package in R-multiverse. +* [Apache 2.0](https://opensource.org/license/apache-2-0) * [Artistic 2.0](https://opensource.org/license/artistic-2-0) * [BSD 2-Clause](https://opensource.org/license/bsd-2-clause) * [BSD 3-Clause](https://opensource.org/license/bsd-3-clause) From a8467110352b7f25d19105a1a4737e8199e37cc5 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:09:32 -0500 Subject: [PATCH 13/18] Update review.md Co-authored-by: Charlie Gao <53399081+shikokuchuo@users.noreply.github.com> --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index 0e1f9ab..ab18946 100644 --- a/review.md +++ b/review.md @@ -58,7 +58,7 @@ No R-multiverse staff member (administrator, moderator, or otherwise) may modify ## Recommended licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". -In practice, this means each package must have a valid open-source license. +If a package has a valid open-source license, this ensures that distribution by R-multiverse does not violate the intellectual property rights of the package authors. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. If the package includes one of the license below, it implies that the authors consent to distribute the package in R-multiverse. From 059a5368c6942422355d7d06ad45940711cbd370 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:11:05 -0500 Subject: [PATCH 14/18] Update review.md Co-authored-by: Charlie Gao <53399081+shikokuchuo@users.noreply.github.com> --- review.md | 1 - 1 file changed, 1 deletion(-) diff --git a/review.md b/review.md index ab18946..13a708b 100644 --- a/review.md +++ b/review.md @@ -60,7 +60,6 @@ No R-multiverse staff member (administrator, moderator, or otherwise) may modify The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". If a package has a valid open-source license, this ensures that distribution by R-multiverse does not violate the intellectual property rights of the package authors. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. -If the package includes one of the license below, it implies that the authors consent to distribute the package in R-multiverse. * [Apache 2.0](https://opensource.org/license/apache-2-0) * [Artistic 2.0](https://opensource.org/license/artistic-2-0) From f6dc363996b03781075829a820a81b48cdf0f4ce Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Tue, 19 Nov 2024 11:45:31 -0500 Subject: [PATCH 15/18] Update review.md --- review.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/review.md b/review.md index 13a708b..860359e 100644 --- a/review.md +++ b/review.md @@ -51,10 +51,6 @@ The moderator accepts the contribution if and only if it complies with all polic R-multiverse may remove a package from its own repositories at any time if the package violates R-multiverse policies. -## Modification - -No R-multiverse staff member (administrator, moderator, or otherwise) may modify a package in R-multiverse without the explicit consent of the owners declared in the license of the package. - ## Recommended licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". From 275a247fa0487c42d27cd3bd96e5e12b471c8f6a Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Wed, 20 Nov 2024 20:15:28 -0500 Subject: [PATCH 16/18] Require a valid open-source license --- review.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/review.md b/review.md index 860359e..e9f6ac1 100644 --- a/review.md +++ b/review.md @@ -37,7 +37,7 @@ and if the contributed GitHub/GitLab repository: and if the R package: -1. Includes a license from the "Recommended licenses" section at the end of this policy. +1. Includes a license from the "Licenses" section at the end of this policy. 1. Does not have an advisory in the [R Consortium Advisory Database](https://github.com/RConsortium/r-advisory-database). 1. Is not part of the CRAN mirror at . @@ -51,10 +51,10 @@ The moderator accepts the contribution if and only if it complies with all polic R-multiverse may remove a package from its own repositories at any time if the package violates R-multiverse policies. -## Recommended licenses +## Licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". -If a package has a valid open-source license, this ensures that distribution by R-multiverse does not violate the intellectual property rights of the package authors. +Each package contributed to R-multiverse must have a valid open-source license to protect the intellectual property rights of the package authors. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. * [Apache 2.0](https://opensource.org/license/apache-2-0) From c996196902186508ee74f5134021190cda4eb14f Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Wed, 20 Nov 2024 20:26:02 -0500 Subject: [PATCH 17/18] Say "owners" because sometimes owners and authors are not the same --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index e9f6ac1..fd3ab85 100644 --- a/review.md +++ b/review.md @@ -54,7 +54,7 @@ R-multiverse may remove a package from its own repositories at any time if the p ## Licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". -Each package contributed to R-multiverse must have a valid open-source license to protect the intellectual property rights of the package authors. +Each package contributed to R-multiverse must have a valid open-source license to protect the intellectual property rights of the package owners. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. * [Apache 2.0](https://opensource.org/license/apache-2-0) From 5ad944fba0f4fb5f5b4c0ffd8c6fd3103f9477a5 Mon Sep 17 00:00:00 2001 From: Will Landau <1580860+wlandau@users.noreply.github.com> Date: Wed, 20 Nov 2024 20:44:28 -0500 Subject: [PATCH 18/18] Update review.md --- review.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/review.md b/review.md index fd3ab85..c259a36 100644 --- a/review.md +++ b/review.md @@ -54,7 +54,7 @@ R-multiverse may remove a package from its own repositories at any time if the p ## Licenses The [Acceptable Use Policy](aup.md) prohibits packages that "violate any applicable laws, regulations, or third-party rights, including intellectual property rights". -Each package contributed to R-multiverse must have a valid open-source license to protect the intellectual property rights of the package owners. +Each contributed package must have a valid free and open-source ([FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software)) license to protect the intellectual property rights of the package owners. The following is a list of valid open-source licenses that the bot automatically accepts during reviews. * [Apache 2.0](https://opensource.org/license/apache-2-0)