Yearly maintainer permissions review #270
Description
This is a checklist for evaluating python-tuf maintainer accounts and permissions. This issue is automatically opened once a year.
Tasks
- Update this list to include any new services
- Evaluate the accounts and permissions for each service on the list. Some rules of thumb:
- Critical services should have a minimum of 3 active maintainers/admins to prevent project lockout
- Each additional maintainer/admin increases the risk of project compromise: for this reason permissions should be removed if they are no longer used
- For services that are not frequently used, each maintainer/admin should check that they really are still able to authenticate to the service and confirm this in the comments
- Update MAINTAINERS.txt to reflect current permissions
- (Bonus) Update significant contributors in README.md#acknowledgements
Critical services
- PyPI: maintainer list is visible to everyone at https://pypi.org/project/tuf/
- Only enough maintainers and org admins to prevent locking the project out
- GitHub: release environment reviewers listed in https://github.com/theupdateframework/python-tuf/settings/environments
- Maintainers who can approve releases to PyPI
- GitHub: permissions visible to admins at https://github.com/theupdateframework/python-tuf/settings/access
- "admin" permission: Only for maintainers and org admins who do project administration
- "push/maintain" permission: Maintainers who actively approve and merge PRs (+admins)
- "triage" permission: All contributors trusted to manage issues
Other
- ReadTheDocs: admin list is visible to everyone at https://readthedocs.org/projects/theupdateframework/
- Coveralls: everyone with github "admin" permissions is a Coveralls admin: https://coveralls.io/github/theupdateframework/python-tuf