Closed Serene-Arc closed 2 weeks ago
Great! committed that change, do you think it's ready to merge?
Just curious: who owns the beets
Mastodon account? Does a single person have access to the keys or is it just available to the beetbox
organization as a whole?
We don't have any social media organisation software so Adrian just shared the email and password with me, and I entered the token into the repository secrets.
Right, good to know! After the xz fiasco, it just feels more important to have this kind of information available for any open-source software with a team of contributors. But I don't think that is something to worry about for beets.
Yeah it's not ideal but xz is hopefully an exception. It's not a good idea for projects to be infiltrated but honestly that kind of thing is extraordinary, which is why it got the attention it did.
To use myself as an example, I've probably got the most power over this project in administrative terms other than Adrian, since he gave me privileges to deal with the release stuff. I control this repo as an admin, as well as the PyPi project and the mastodon account (which has been inactive but still). I know I'm trustworthy but others don't, so to some extent it's a leap of faith.
The biggest threat to a project like beets from this isn't an APT trying to get a vulnerability in but people trying to take the project in a different direction and doing the digital equivalent of a coup, worst case just maybe deleting the repo? I don't know. If there are any suggestions for how to share responsibility better, I'm all ears. At some point though, you just need to have some trust in maintainers and admins.
This adds a step to the GitHub release so that it sends a toot on Fosstodon, beets' Mastodon account, to publicise that and get some engagement!
Not tested, but this is lifted straight from the action repo so it should be okay. @snejus for a sanity check if you wouldn't mind