Fine by me! Thanks Donald. Carl
On 06/05/2017 03:05 PM, Donald Stufft wrote: > Hi! > > I was talking to some people today about some attack vectors, and one > thing that got surfaced in that there are a few people able to cut a > release to PyPI for pip/virtualenv/etc who have stepped back from being > involved in the project. What I would like to do is remove access from > these people *not* because we’d be “kicking them out”, but simply as an > effort to reduce the accounts that are possible targets for compromising > pip. I think the ideal way of doing this is to simply say that if they > decide to come back, they can have their access reinstated without question. > > I also think it’d make sense to extend this same policy to Github teams > (not the organization itself, being a member of the organization doesn’t > grant any special privileges). > > With that in mind, my proposal is to remove: > > * From pip on PyPI: Jannis Leidel, Brian Rosner, Carl Meyer, Ian > Backing, Marcus Smith > * From virtualenv on PyPI: Jannis Leidel, Brian Rosner, Carl Meyer, Ian > Backing, Marcus Smith > * From packaging: Marcus Smith > > That leaves able to do releases being me on all 3, and Matt Iverson > (Ivoz) on virtualenv. It’s not great to have a single bus factor on > these projects in case something happens to me, so I’d like to add Paul > Moore and Xavier Fernandez on all three projects as releasers as well > (I’m fine actually continuing to do the releases generally, just as a > backup) assuming they’re both agreeable. > > Then On Github I’d like to remove: > > * From the pip team: Brian Rosner, Ian Bicking, Hugo Lopes Tavares, Carl > Meyer, Marcus Smith, > * From the virtualenv team: Brian Rosner, Ian Bicking, Carl Meyer, > Marcus Smith > > Then there are currently 4 Owners of the Github Org PyPA, Myself, Brian > Rosner, Carl Meyer, and Marcus Smith. For this I’d like to remove all > but myself, and similarly to PyPI I’d like to add Paul and Xavier as > owners so it’s not just me (also assuming both are agreeable). > > This should remove access from anyone who hasn’t (that I could find) > been an active participant in > 1 year, with the stipulation that if > they decide to come back they will be granted their previous access > back— so this is merely just a technical solution to limit access. If > anyone has any problems with this, please speak up! > > I’ve also made sure I’ve BCC’d anyone who I’ve mentioned as losing some > kind of access to this email in case they’re not subscribed to pypa-dev > so that they will be aware and can speak up themselves (BCC instead of > CC so they don’t get spammed with any replies if they don’t care). > > Absent any objections, I’ll take these actions in the next couple of > days (and I’ll need PyPI usernames for Paul and Xavier). > > — > Donald Stufft > > >
signature.asc
Description: OpenPGP digital signature
