Given that Narwhals can only work if people trust it, we recognise the importance of following good security practices. Here are some practices we follow:
-
We publish to PyPI via trusted publishing and are PEP740-compliant.
-
We don't use
pull_request_targetin any CI job. -
The release CI job can only be triggered for tag pushes, and only Narwhals members with release permissions (see below) can push tags.
-
All members of
narwhals-devare required to have two-factor authentication enabled. -
There are no binary or opaque files in the Narwhals repository.
-
Release permissions are only given to people who satisfy all of the following:
- Have met the original author in real life on multiple days.
- Have made significant contributions to Narwhals.
- Give off good vibes. This is hard to rigorously define, but it's there so we can refuse anyone who, despite satisfying the above two criteria, we don't feel like we can trust.
- There are fewer than 5 active people with release permissions. That is
to say, even if someone satisfies all of the above, if there are already 5
people with release permissions, then we will not be adding any more (though
you may still be added to
narwhals-devand get permission to merge pull requests which you believe are ready). Note that we already meet that limit.