The 3rd review of SE-0292 has concluded. The review has been generally quiet with feedback focused on making the OpenAPI spec more robust to explicitly highlight the support for redirecting proxies which have been one of the focus points of the 2nd review. As such, the proposal has been accepted with a few minor revisions:
- Refine "A client SHOULD verify the integrity of a downloaded source archive" to "A client MUST verify the integrity of a downloaded source archive"
- Include the checksum of the source archive in the Package release metadata, and/or refine OpenAPI spec to make it clear it should include
- Make the support for redirecting proxies more explicit by explicitly listing 30x response code in the OpenAPI spec.
The proposal and its approval mark an important step forward in the evolution of the Swift package ecosystem. The proposal went through a long review cycle and reflects important feedback from many members of the community. I would like to thank everyone who participated in the review and the proposal authors for their patience and hard work getting this proposal over the finish line.