search

theupdateframework / community

Community Repository of The Update Framework (TUF)
http://theupdateframework.io/
5 stars 5 forks source link

Add initial set of maintainers #11

Closed mnm678 closed 1 month ago

mnm678 commented 3 months ago

Addresses #5.

This list is copied from the TAP editor list. We should make sure the Github permissions match this list before merging.

joshuagl commented 3 months ago

Is the request to update GitHub org permissions so all maintainers named here are org admins?

Should we be adding our newly welcomed TAP editor to this list?

mnm678 commented 3 months ago

Is the request to update GitHub org permissions so all maintainers named here are org admins?

They should either be admins of the org or at least of this repository. It would be nice if we had a list of org admins someplace, so that would be my vote. cc @JustinCappos

JustinCappos commented 3 months ago

Is the request to update GitHub org permissions so all maintainers named here are org admins?

They should either be admins of the org or at least of this repository. It would be nice if we had a list of org admins someplace, so that would be my vote. cc @JustinCappos

One of the things that was brought up to us during the graduation process is that we should minimize who has org admin access to reduce the possibility of an account compromise impacting us. I'm all for picking a set of people who need it and are likely to be accessible and then bugging them as needed. (It does not bother me if I end up not being on this list.)

jku commented 3 months ago

we should minimize who has org admin access to reduce the possibility of an account compromise impacting us

:+1:

as a side note: this also means project maintainers should not have full admin permissions for their projects.

As an example I think I can currently change the python-tuf release environment settings (meaning that I or anyone with access to my account can make releases, regardless of the security settings that require multiple people)... I would rather I didn't have that capability. I would prefer to ping an org admin group (an actual github group) in an issue and ask them to do changes (or temporarily make me admin) instead.

This is obviously a bit more more bureaucratic: it requires org admins who are willing to do chores and maintainers who are willing to jump through a hoop or two.

mnm678 commented 3 months ago

In that case, we should still document the list of org admins, and separately list maintainers for this repo. Who should be included in each of those lists? We can discuss at the TUF community meeting next week as well.

h4l0gen commented 1 month ago

Hi maintainers, what is the conclusion of this discussion? As per LFX'24 Project idea Documentation assessment and improvements, I am evaluating TUF documentation according to CNCF assessment criteria, and we need Maintainers.md in the community repository to meet the criteria. Can we look towards to create Maintainers.md separately for this repository.

JustinCappos commented 1 month ago

I'd suggest we start with:

I'm open to other suggestions from the community about how to build this list out.

On Tue, May 21, 2024 at 3:26 AM Kapil Sharma @.***> wrote:

Hi maintainers, what is the conclusion of this discussion? As per LFX'24 Project idea Documentation assessment and improvements https://github.com/cncf/mentoring/blob/main/programs/lfx-mentorship/2024/02-Jun-Aug/README.md#documentation-assessment-and-improvements, I am evaluating TUF documentation according to CNCF assessment criteria, and we need Maintainers.md in the community repository to meet the criteria. Can we look towards to create Maintainers.md separately for this repository.

— Reply to this email directly, view it on GitHub https://github.com/theupdateframework/community/pull/11#issuecomment-2121938560, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGROD5AE6GRIL3QME34YC3ZDLZLXAVCNFSM6AAAAABFHX2UF2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRRHEZTQNJWGA . You are receiving this because you were mentioned.Message ID: @.***>

h4l0gen commented 1 month ago

@JustinCappos your suggested changes are already included in this PR, so we can think of merging this. Or any other changes required then I am open to work on it. Thank you!