Package Validator - Check IconUrl for usage of GitHub raw links about home HOT 7 OPEN

I would say Guideline as a minimum.

Yep, sorry, I mixed up the order of guideline and suggestion. I have them straight on the review comments, since they are in order there.

from home.

@TheCakeIsNaOH what level would you see this rule being added at? Would it be a suggestion, meaning that it doesn't "need" to be adhered to, or would this require the package to be pushed back to the maintainer to fix?

from home.

@gep13 just chiming in.
IMO, as not using a rawgit URL is a strong suggestion, I would say that perhaps the Guideline section would be the most appropriate in this case

from home.

@gep13
That's up for debate IMO.

GitHub definitely does not want people using assets directly from GitHub raw:
https://github.blog/2013-04-24-heads-up-nosniff-header-support-coming-to-chrome-and-firefox/

So I'd tend to say start at a guideline, and move up to a requirement at some point.

IMO, as not using a rawgit URL is a strong suggestion,

Then maybe we could move that up to a suggestion as well? Edit: Ignore this

from home.

For new packages this is a requirement for me so I'd suggest we make it a requirement across the board. GitHub don't want it. Chocolatey doesn't want it. Would make sense.

The solutions to this issue are trivial so we're not putting anything in people's way.

from home.

Then maybe we could move that up to a suggestion as well?

I would say Guideline as a minimum.

You have

• Requirements (more or less mandatory to push back to maintainers).
• Guidelines (strong suggestions that maintainers need to consider for the next version of a package if applicable)
• Suggestions (optional items that can be added to enhance the package)
• Notes (can depend on the circumstances, but usually similar to requirements if applicable).

At least those were true when I was added as a moderator.

For new packages this is a requirement for me so I'd suggest we make it a requirement across the board. GitHub don't want it. Chocolatey doesn't want it. Would make sense.

I agree, for new packages, it definitely should not be used.
For existing packages, I would say it should be fixed for the next version (which is why I say to add it as a Guideline).
TBH, not sure if GitHub is still on the same stance anymore, not after they improved the CDN caching for those links (I think even NuGet encouraged the use at 1 point. I don't think they still do, though).

from home.

I've thought about this more and here is how I think it could work:

1. If the domain is: github.com,githubusercontent.com,rawgit.com
   Then fail the validator, with a requirement to switch away from those.

2. Else If the domain is: jsdelivr,statically,githack (etc, need to fill this out)
   Then pass the validator, no issue

3. Else
   Then put out a note that the review should check that the icon is at a location under the maintainers control (e.g. another cdn, or if the maintainer is also author then the software website would be fine, etc)

from home.