Maintenance discussion

[jku]

For the past year the vast majority of PRs have been reviewed by me and Lukas: This worked fine for a small project like this. Now Lukas is taking a break so we'll need to at least rearrange the deck chairs. I intend to continue as maintainer... but not alone.

For existing maintainers:

• I think being a reviewing maintainer without being in weekly contact with the project is totally fine: we just need to figure out how you can be pinged for reviews (without making contributors responsible for finding a reviewer)
• If you don't think you are available for reviews, we should modify the maintainers list: giving the false impression that there are maintainers is likely worse than just not having maintainers

For non-maintainer contributors:

• If maintainership (including reviews) sounds interesting, please get in touch

Pinging @theupdateframework/python-tuf-maintainers for discussion. For those who don't have permissions to view the team, it contains @jku, @lukpueh, @JustinCappos, @mnm678, @joshuagl and @trishankatdatadog

[jku]

• I think being a reviewing maintainer without being in weekly contact with the project is totally fine: we just need to figure out how you can be pinged for reviews (without making contributors responsible for finding a reviewer)

I'd appreciate opinions on this one: how would you like this to work?

I have some ideas:

• I'll add a CODEOWNERS file: this should start adding the maintenance team as reviewer to PRs by default. This likely does not help if your github inbox is a disaster zone but might make some email filtering possible?
• We could try some slack integration -- like maybe there is a way to setup a slack bot in a separate channel that posts when a PR goes into "ready for review". This does sound like work to deploy so I'm not even researching this unless there's clear demand

[kairoaraujo]

I can help with maintenance, such as code review and triage. I cannot do much, but I can spend ~ one hour weekly if it helps. I know it is not a lot, but it is what I can do on the project.

[jku]

I can help with maintenance, such as code review and triage. I cannot do much, but I can spend ~ one hour weekly if it helps. I know it is not a lot, but it is what I can do on the project.

Yeah, I think it would help: you're familiar with the code already and the main bottle neck is just small things like https://github.com/theupdateframework/python-tuf/pull/2684 not moving forward -- not because it's a big thing to review but just because nobody happens to be looking right now.

I'd be happy to have kairo added to maintainer team (for your information this should give review, push and tag push permissions: the release approval list is still separate).

[mnm678]

TAG Security has a system that automatically assigns prs to a couple of maintainers. I do sometimes miss the pings in my inbox, but something similar might help prioritize issues for each maintainer.

[trishankatdatadog]

Left the team. Thanks for the reminder. Sorry, but no time for maintenance right now, and I didn't want to just hang around if I can't contribute... 😞

[joshuagl]

I'd be happy to have Kairo added to the maintainer team. Thanks for volunteering, Kairo.

I can also commit to ~1 hr a week for reviewing PRs, but unfortunately often miss them in the noise of my GitHub inbox. I'm trying to rectify, but feel free to ping me for review.

[jku]

Sounds good to me, thanks.

org admins are needed to add Kairo to the team, that might be @JustinCappos or @joshuagl?

---

On the the review request discussion: The CODEOWNERS change is live now so maintainers now get added as reviewers.

I am considering removing the requirements files from being covered by CODEOWNERS. That way the constant dependabot spam would not ping everyone but human PRs would get the attention (conversely it might mean dependabot PRs stay unreviewed if no-one keeps an eye on the project -- currently this is not an issue as I process these couple of times a week). @joshuagl @kairoaraujo opinions?

[kairoaraujo]

I am considering removing the requirements files from being covered by CODEOWNERS. That way the constant dependabot spam would not ping everyone but human PRs would get the attention (conversely it might mean dependabot PRs stay unreviewed if no-one keeps an eye on the project -- currently this is not an issue as I process these couple of times a week).

I'm ok to keep requirements in CODEOWNERS (and be spammed by dependabot), as reviewing dependabot PRs is part of the duty 😄

[joshuagl]

Sounds good to me, thanks.

org admins are needed to add Kairo to the team, that might be @JustinCappos or @joshuagl?

I just invited Kairo to the team