On Tue, Jul 12, 2022 at 10:18 PM Bruno Haible <br...@clisp.org> wrote: > Hi, > > I started this topic in 2021, in [1]: a proposal to remove write > permissions from accounts who haven't pushed in a long while. > There was agreement [2] that contributors who had not directly pushed > a commit in a year could be revoked the write permission. > > The discussion ended with the question who of the gnulib savannah > admins wanted to do it. > > What has changed since then: > > * The log4j incident in December 2021 and a couple of similar > incidents in the npm world have brought to everyone's attention > that software supply chain is critical. > As a reaction, the Linux Foundation has created a sub-foundation [3], > GitHub will make 2FA mandatory by the end of 2023 [4], and similar > moves are underway in the Ruby and Python communities [5]. > > In GNU, Gnulib is probably, together with the Autotools, one of the > most critical elements of the software supply chain. If a trojan/malware > commit gets into Gnulib, we would have big trouble. > > Also: > > * Since July 2021, I am co-maintainer of Gnulib, and one of the gnulib > savannah admins. > > Therefore I would now like to actually do it. ... > OK to proceed?
Thanks for taking this on. Fine with me.