On Mon, Jan 30, 2023 at 3:19 AM '[email protected]' via Jenkins Developers <[email protected]> wrote: > A PR merged in a release can be installed. A missing permission is not at > that kind of level of impact.
A compromised account with unnecessary commit access could very well have that level of impact if it is used to introduce malicious content into a release. > To [make] explicit my thinking process there that will also reply to the > other comments. I do not see how it could reply to the other comments, because my point about membership in the core-pr-reviewers group being more appropriate remains unaddressed. > I do not want to put a clock ticking above the heads of any role, that would > notify you "hey you have not merged a PR since 11 months, in 30 days you will > be kicked". That's neither the goal nor the intent. The stated goal and intent is to eliminate unnecessary security-related exposure, accomplished by removing unneeded commit access. Just as an individual who has not reviewed a PR in over a year is creating unnecessary exposure by holding onto unneeded commit access, so also an individual who has not merged or closed a PR in over a year is creating unnecessary exposure by holding onto unneeded commit access. Therefore, accomplishing the stated goal and intent necessitates removing the unnecessary exposure created by both groups. On Mon, Jan 30, 2023 at 3:27 AM 'Daniel Beck' via Jenkins Developers <[email protected]> wrote: > How would you feel if any of the folks Oleg listed suddenly started to merge > or close PRs? Would you really not be surprised, and "think this is fine"? Since I often receive feedback from individuals who have not been active in a long time and who decline to provide acknowledgement after I address their feedback, nothing would surprise me at this point. On Sun, Jan 29, 2023 at 6:15 AM Oleg Nenashev <[email protected]> wrote: > it would be definitely nice to document explicit criteria in > https://github.com/jenkinsci/jenkins/blob/master/docs/MAINTAINERS.adoc#roles On Mon, Jan 30, 2023 at 5:06 AM 'Daniel Beck' via Jenkins Developers <[email protected]> wrote: > We could even use a separate team to represent this I agree that the criteria should be explicitly documented in MAINTAINERS.adoc for the reasons explained in https://producingoss.com/en/written-rules.html and that alumni should be recognized in a separate team or web page in order to publicly honor their past contributions. In the absence of documentation and an alumni group, this endeavor lacks the thoroughness described in my previous post. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpiD8_YACCW_GSz1mjv2C_gyoo%3DyDWS90ew1LRywr2VOA%40mail.gmail.com.
