Puppet Forge Specific Policies
Content Deletion Policy
We encourage Puppet users to manage their infrastructure using the content available on the Forge as much as possible, rather than writing their own bespoke modules. When provisioning new infrastructure or managing the state of existing infrastructure, users rely on that content's availability from the Forge website or API service.
The sudden and unexplained disappearance of content from the Forge could present a material disruption to a user's ability to manage their infrastructure or even result in infrastructure failure or a delay in their ability to mitigate an unrelated failure.
We understand that module authors may need to migrate or remove modules or module versions. At the same time, we have to maintain continuity of availability so that current modules aren't unexpectedly impacted by the removal of a module that they depend on.
Contributing module authors on the Forge can already accomplish the following without any special intervention from Puppet:
Module authors can mark individual versions of their modules as "deleted". The effect of this action is that the deleted module version won't be returned by the Forge website and API. However, a deleted release is still downloadable with Code Manager, r10k, the Forge website, or the
puppet modulecommand if a user requests the specific version of the module that was deleted. See Deleting a module release from the Forge for more information.
Module authors can mark every release of a given module as "deleted," which causes the entire module to no longer be displayed on the Forge website or returned by the API service unless a user performs a search query that explicitly includes deleted content or requests the deleted module by name. A deleted module is still downloadable with Code Manager, r10k, the Forge website, or the
puppet modulecommand if a user requests a specific version of the module.
See the Forge API for more information on how to mark a release of a module as "deleted".
Content Deletion Policy Details
Puppet does not permanently remove content (such as modules, specific versions of modules, or user profiles) from the Puppet Forge website and accompanying API service, except as specified below:
We reserve the right to unilaterally remove any and all content that violates our Community Guidelines, including, but not limited to, content that is illegal, defamatory, or malicious.
We will remove content that clearly infringes on the intellectual property rights of Puppet or a third party when we are made aware of such content and have validated the claim to our satisfaction.
We will remove a user profile from the Forge upon request from the owner if and only if no module content has ever been published under that user's account.
We will remove module content upon request from the author if and only if no functional version of that module has ever been published.
We will remove a specific version of a module (a "module release") upon request from the author if the module release contains sensitive or proprietary information whose public disclosure represents a significant ongoing risk to the author or authoring organization. Note that many third-parties regularly and automatically mirror content from the Puppet Forge, so simply deleting the content after publication is insufficient remediation for a disclosure incident.
Content Deprecation and Migration
In the event that a module will no longer be maintained, the author can request that it be flagged as "deprecated" on the Forge. The effect of this action is that a "deprecated" indicator will appear on the module when it is displayed on the Forge website. As with deleted modules, users will still be able to download specific versions of the deprecated module. Authors can use the Forge API to mark a module as deprecated. Authors may also submit a request in the FORGE project with the module name and reason for deprecation.
In the event that a module needs to be migrated to a different maintainer, the process is similar to deprecation. The "deprecated" indicators will appear on the module when it is displayed on the Forge website along with a link to the replacement module. Authors can use the Forge API to mark a module as deprecated with a suggested replacement. Authors may also submit a request in the FORGE project with the module name, the replacement module author and name, and the reason for migration.
For more information about deprecating modules, see Publishing modules on the Puppet Forge.
Malware and Security Scanning
The Forge runs a variety of security scans on uploaded modules during the publication process. This is intended to assist users in vetting modules and is not a guarantee of safety, nor should it replace your own evaluation process.
When a scan identifies malware contained in a module, that release will be blocked from publication and flagged for review. The author will be informed of the alert by email. Prior releases of the module may be deleted if required. In the case of a false positive, then the author may appeal by filing a ticket in the FORGE project describing the incident and attaching the module tarball.
Malware Disclosure Policy
When malware is discovered in content that has already been published by the Forge, we will hard-delete each affected release. We will alert the users of Forge modules following our standard disclosure policy. We will also email the authors of each module that declares a dependency on the affected module.
Last Revised: September 27, 2021