diff options
| -rw-r--r-- | doc/neps/nep-0036-fair-play.rst | 60 |
1 files changed, 32 insertions, 28 deletions
diff --git a/doc/neps/nep-0036-fair-play.rst b/doc/neps/nep-0036-fair-play.rst index 34c8f6eb8..11684baee 100644 --- a/doc/neps/nep-0036-fair-play.rst +++ b/doc/neps/nep-0036-fair-play.rst @@ -26,31 +26,34 @@ troublesome, bothersome, and unacceptable. Motivation ---------- -We sometimes learn of NumPy versions modified and circulated by outsiders. -These patched versions can cause problems for the NumPy community. - -- In December 2018, a `bug report - <https://github.com/numpy/numpy/issues/12515>`__ was filed against - `np.erf` -- a function that didn't exist in the NumPy distribution. - It came to light that a company had published a NumPy version with - an extended API footprint. After several months of discussion, the - company agreed to make its patches public, and we added a label to - the NumPy issue tracker to identify issues pertaining to that - distribution. - -- In another case, after a security issue (CVE-2019-6446) was filed - against NumPy, distributions put in their own fixes, most often by - changing a default keyword value. As a result the NumPy API was - inconsistent across distributions. - -When issues arise in cases like these, our developers waste time -identifying the problematic release, locating alterations, -and determining an appropriate course of action. +Every so often, we learn of NumPy versions modified and circulated by outsiders. +These patched versions can cause problems for the NumPy community +(see, e.g., [#erf]_ and [#CVE-2019-6446]_). +When issues like these arise, our developers waste time identifying +the problematic release, locating alterations, and determining an +appropriate course of action. + +In addition, packages on the Python Packaging Index are sometimes +named such that users assume they are sanctioned or maintained by +NumPy. We wish to reduce the number of such incidences. During a community call on `October 16th, 2019 <https://github.com/numpy/archive/blob/main/status_meetings/status-2019-10-16.md>`__ -the community resolved to draft guidelines on the distribution of -modified NumPy versions. +the community resolved to draft guidelines to address these matters. + +.. [#erf] In December 2018, a + `bug report <https://github.com/numpy/numpy/issues/12515>`__ + was filed against `np.erf` -- a function that didn't exist in the + NumPy distribution. It came to light that a company had published + a NumPy version with an extended API footprint. After several + months of discussion, the company agreed to make its patches + public, and we added a label to the NumPy issue tracker to identify + issues pertaining to that distribution. + +.. [#CVE-2019-6446] After a security issue (CVE-2019-6446) was filed + against NumPy, distributions put in their own fixes, most often by + changing a default keyword value. As a result the NumPy API was + inconsistent across distributions. Scope ----- @@ -100,15 +103,16 @@ Fair play rules '1.17.2+mycompany.15` We understand that minor patches are often required to make a - library work under a certain distribution. E.g., Debian may patch + library work inside of a distribution. E.g., Debian may patch NumPy so that it searches for optimized BLAS libraries in the - correct locations. But we ask that no substantive changes are - made. + correct locations. This is in order, but we ask that no + substantive changes are made. -3. Do not extend NumPy's API footprint. +3. Do not extend or modify NumPy's API. If you absolutely have to break rule two, please do not add - additional functions to the namespace. NumPy's API is already + additional functions to the namespace, or modify the API of + existing functions. NumPy's API is already quite large, and we are working hard to reduce it where feasible. Having additional functions exposed in distributed versions is confusing for users and developers alike. @@ -121,7 +125,7 @@ Fair play rules <https://numpy.org/neps/nep-0018-array-function-protocol.html>`__ were designed to help external packages interact more easily with NumPy. E.g., the latter allows objects from foreign libraries to - pass through NumPy unharmed. We actively encourage using any of + pass through NumPy. We actively encourage using any of these "officialy sanctioned" mechanisms for overriding or interacting with NumPy. |