Showing results for 
Show  only  | Search instead for 
Did you mean: 
Occasional contributor

Setting request policy based on version range (v6, workflow)

Are there any plans to support ability to specify range of versions in request policies?

The ability to set a request policy  based on a range of versions.e.g. using wildcards or regex would significantly reduce review overhead and improve compliance.

Use case:  Users submit requests for all component updates. The ability to policy approve requests that are minor version updates , e.g. 1.1 -> 1.2 , that are submitted to address vulnerabilities would significantly improve efficiency and reduce workload for submitters and approvers. It is extremely rare to have license changes in  bug fix patches, so this would be safer than using "any version" +  license.

Defining a Policy using "any version" + license is not a safe solution,  since licenses can change between major releases (from permissive to copyleft or non-OSI type license), and component definitions in PDL often club all licenses together at a component level (versus version level).  This allows requester to select any license from the list of licenses for that component, even if NOT correct for the specified version.  If policy-approval in effect then the wrong license could be selected and auto approved.  It is critical to NOT policy-approve a component where a license has changed from permissive to copyleft, AGPL or SSPL type of license.

Labels (1)
0 Kudos