alitheg commented on PR #825: URL: https://github.com/apache/tooling-trusted-releases/pull/825#issuecomment-4004497820
Also, on the validation side, I'm not sure _how much_ value we really get from validating from a project/version cache in these types - because TOC != TOU, we have to check validity everywhere we use them anyway, so why check them? Unless we equip them to do their own checks from the cache every time they're used somehow? If they don't do that - perhaps they're just safe string types which sanitise user input (which was the ASVS problem we discussed linking to this). That said, I have found it helpful to not accidentally pass the wrong string (release name instead of project name for example) so that's something. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
