Establish whether we want to bring codespell into our infrastructure repo

[sgibson91]

Context

We have received a contribution to include codespell into our pre-commit configuration: https://github.com/2i2c-org/infrastructure/pull/3098/files#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9
I asked in Slack a while ago what to do about this PR but the thread wasn't followed through on: https://2i2c.slack.com/archives/C055A1J1DRP/p1694510304452379
The PR author has asked whether we are considering such a contribution before they work to resolve some conflicts.

• https://github.com/codespell-project/codespell

Proposal

No response

Updates and actions

• Assess codespell as a risk to our infrastructure
• Merge or politely decline the PR as necessary

[damianavila]

@2i2c-org/engineering, I encourage you to provide your feedback on this one so we can achieve consensus in the next few days and have a definetive response for the PR author as soon as possible.

[damianavila]

Another ping to @2i2c-org/engineering, we need to reach some agreement on this one so we can communicate back to the PR submitter as soon as possible.

[sgibson91]

I personally don't see any reason why not. Seems codespell has been shipping with ubuntu since at least 20.04 https://manpages.ubuntu.com/manpages/focal/man1/codespell.1.html

[consideRatio]

I open to trying it if I first evaluate security brielfly. I'll do that tomorrow.

I've hesitated as this is a prompt to (via pre-commit) run software on our computers. That made me a bit cautious and want to look into if i trust the software to be run. I've also hesitated by past experience with language checkers causing noise.

[damianavila]

There was a recent push on the PR: #3098 (comment) and we need to provide the PR author with feedback.

I open to trying it if I first evaluate security brielfly. I'll do that tomorrow.

If this is taking a significant amount of time (more than 30 min), I would advocate closing the PR without merging it.

[yuvipanda]

Did some research and wrote out #3098 (review)

[sgibson91]

run software on our computers

This security concern is also based on the assumption that all of us have set up the pre-commit hooks locally, which is not true. I think if it's safe enough to run in CI, then we should merge it. Installing hooks locally can be at the individual's discretion.

[sgibson91]

Just flagging from the review @yuvipanda made:

So I think this is good to go. Unless there are objections from anyone, I'll (Yuvi) merge this next Wednesday (Jan 31)

(I added clarification on who 'I' is in the quote :) )

[sgibson91]

PR was merged 🎉