Anders Kaseorg

The import in `test_decorators` needs adjusting. (We can continue to mock `"zerver.decorator.rate_limit"` while importing `zerver.lib.rate_limiter.rate_limit`.) `zerver/tests/test_decorators.py:25: error: Module "zerver.decorator" does not explicitly export attribute "rate_limit"; implicit reexport disabled [attr-defined]`

We might as well add this to the file-dependency spec too, for local zip files. But it seems there’s more to do to in poetry-core to make either URL or...

Like `zulip = {url = "https://github.com/zulip/python-zulip-api/archive/0.8.2.zip#subdirectory=zulip", subdirectory = "zulip"}`? That does seem to succeed, but it would be inconsistent with how we store the subdirectory for Git requirements. (My test...

Is there any reason not to add this for file dependencies too?

Verifying a SHA-256 hash (#37) would provide much of this benefit without any modifications to the way package managers are distributed.

I have some concerns about this change. 1. This negates the hash protection of #137. 2. This could break the reproducibility of builds or CI jobs that start from a...

Of course there are workarounds. But good defaults matter, and I’m proposing that the default should remain the secure known-good version. A user who discovers they need a later version...

This change isn’t giving them the latest version. It’s giving them the latest version *as of* the time they ran `corepack prepare`. That could be ages earlier than the time...

I’d hope for security that corepack starts checking integrity hashes before it’s enabled by default. - #37 (Edit: This was briefly fixed, but it was then reversed by #134 and...

Yes, this still reproduces with the latest version of electron-builder. (Which is the same as the latest version of electron-builder when I originally reported the bug. Maybe this stalebot configuration...