Hugo

Theme Organization on Github

I know this has been discussed before but not regarding security insurance. Following this discussion I have a proposition:

How about a Github organization that all theme repositories join that want to be listed on the overview of the themes. With fixed “harsh” rules like the following:

  • activity within a certain timeframe (some months)
  • issues are answered and solved within a certain timeframe (some weeks)
  • security monitoring is enabled for all repositories
  • automatic security fixes (if possible) is enabled for all repositories
  • security fixes are quickly applied (some days)
  • QA users/moderators receive access to the repos, owner stays the original owner/team
  • depending on availability tools like Codacy can run on these repos whenever something is committed or pulled.

It is possible to synchronize the repository with an original repository (as secondary origin) or move the original repository into the organization. So the whole “I don’t want to give away my repository” argument might be obsolete with that.

The cons are plenty, I understand. The requirement of having to answer peoples enquiries about security issues or quality issues might weight against them?

1 Like

All of the above points have merit.

However I don’t know how we can go about without completely overhauling the themes’ repo. Maybe creating another GitHub organization is overkill.

But since these days we have Go modules it might be doable to make it so that all themes have to inherit third party libraries and other assets from a repo of the gohugoio organization, pretty much like theme demo content is currently inherited from the HugoBasicExample, so that we have these dependencies always up to date.

Anyway that’s just a thought. It would require standardizing the way theme authors use third party libraries. Might feel too restrictive.

Or we simply change theme guidelines. We put it in writing that authors need to keep third party assets up to date or else the themes will be removed.

Looking forward to reading the opinion of the others regarding the security of third party assets that are used in themes listed in the Hugo Showcase.

cc: @digitalcraftsman (when he has the time since he is currently busy)
@bep and everyone else