django-push-notifications
django-push-notifications copied to clipboard
jazzband
Implement Jazzband guidelines for project django-push-notifications
This issue tracks the implementation of the Jazzband guidelines for the project django-push-notifications
It was initiated by @jleclanche who was automatically assigned in addition to the Jazzband roadies.
See the TODO list below for the generally required tasks, but feel free to update it in case the project requires it.
Feel free to ping a Jazzband roadie if you have any question.
TODOs
- [x] Fix all links in the docs (and README file etc) from old to new repo
- [x] Add the Jazzband badge to the
READMEfile - [x] Add the Jazzband contributing guideline to the
CONTRIBUTING.mdfile - [x] Check if continuous testing works -> https://travis-ci.org/jazzband/django-push-notifications
- [ ] ~~Check if test coverage services work (e.g. Coveralls, Codecov, etc)~~
- [x] Add
jazzbandaccount to PyPI project as maintainer role (URL:https://pypi.python.org/pypi?:action=role_form&package_name=<PROJECTNAME>) - [ ] Add
jazzband-botas maintainer to the Read the Docs project (URL:https://readthedocs.org/dashboard/<PROJECTNAME>/users/)- [note from jleclanche: No RTD for the project]
- [x] Fix project URL in GitHub project description
- [x] Review project if other services are used and port them to Jazzband
- [ ] Ask the former project collaborators @jamaalscarlett, @kit-cat, @matthewh, @Antwan86 and @Proper-Job to properly join Jazzband at https://jazzband.co/
- [note from jleclanche: @Antwan86 and @Proper-Job are inactive contributors, will not invite them unless they specifically ask]
Project details
| Description | Send push notifications to mobile devices through GCM or APNS in Django. |
| Homepage | None |
| Stargazers | 1103 |
| Open issues | 56 |
| Forks | 372 |
| Default branch | master |
| Is a fork | False |
| Has Wiki | True |
| Has Pages | False |
@jleclanche One recent addition to Jazzband is the ability to do package releases automatically via Travis-CI to the Jazzband site and then have one or more Jazzband members verify the release for a one-click-deploy to PyPI. For that we need someone to step up as project lead, would you want to continue doing that?
I'm OK continuing to do releases as long as someone else can do them as well if I happen to be MIA. Note that currently releases are gpg-signed (setup.py bdist_wheel upload --sign) and I'd like that to continue; is that supported in your flow?
@jleclanche Doing signed releases isn't supported as that would require having private GPG keys on the servers which I'm not comfortable with given the non-trivial steps needed to revoke them in case of a security breach. Since non of the Python packaging tools actually use the GPG signature during installation (for various reasons), I would suggest to stop doing it. Sorry.
@jleclanche Was doing signed releases part of packaging it for Debian? https://packages.debian.org/sid/python3-django-push-notifications
No, it's just something I do for all my packages. I would rather not automate the releases though if gpg isn't an option. I agree that adding private keys to travis or w/e isn't a good solution either. Maybe if the build was reproducible the signature could be made out of sync somehow.. hmm..
Yeah, I understand, but I wanna stress that the goal of Jazzband is to increase the bus factor of projects, and GPG private/public key pairs are by design very hard to share with other people securely.
AFAIK Python packages aren't reproducible, or at least it was the case when I last tried it last year. Maybe wheel has improved since then? In practice twine will upload the GPG signature as part of the form data to the PyPI endpoint, so unless you can simply update package data by consecutive POSTs, I'm not sure you could do the signing out of sync of the automatic release.
@jezdez I don't think the package is locked in to just my gpg key though? I'm ok with anyone approved being able to do a release as long as they sign it.