Mostly, I concur with what Leon said. I'm going to pick off or clarify in several places.
Do all 30 people listed in PTG have the same perms and standing in PTG? > > We recently flattened it. There are the "owners" who have ultimate control per github. Mostly, all we do is manage membership. There are "admins" who get admin control over repos for stuff like setting up git hooks or other things. These are generally the "lead" developers for the different projects and we trust people not to muck with settings on repos they don't contribute to. Everyone else (the "chain gang") has write access to all repos. > Are all 30 people free to push to all ~27 PTG repos at any time? > Technically free or socially free? > > Technically free. Socially, I think Leon put it well. We generally trust people to do the right thing on projects they are collaborating on. And since it's a VCS, if people abuse that trust, reversions are easy-ish. > BINGOS does many CPAN releases for PTG modules for a number of years now > but he rarely writes code. In PAUSE, there is a concept of owner, and > comaint. Do these have relevance to who is the owner of a PTG module? I would distinguish PTG the Github organization from "toolchain maintainers" more generally/socially. PTG is a facility for collaboration. It reflects the social collaboration agreements among people who contribute to toolchain modules. The social organization is decentralized. In recent years, venues like #toolchain and the QA hackathons and this list (and sometimes p5p) have been where differences get debated and courses of action set. Generally, I think there has been little advanced planning and discussion and whoever was interested/active and had PAUSE permissions did whatever they wanted without much oversight. The Berlin discussions were an attempt to change that. > I find any "Author" section in PTG module pod to be years or a decade out > of date. Is the Pod's author the "owner" of the module and still > responsible for it even though it is under PTG care? > > The author section accumulates. I personally consider the last person to ship to CPAN to be the person "on the hook" for any given module unless they specifically say they are stepping down from that role. (Ideally, by making someone else the primary maintainer on PAUSE.) > If a PTG module is always released by one person, and nearly every commit > is by one person, page after page on GH, year after year, XDG's modules for > example, it is obvious that he, and not the PTG collective is the owner of > that. > > By putting my modules on PTG, I'm explicitly taking myself out of the critical path for their development. When a module is "donated" to PTG, is the donator still the owner of the > module, or is PTG collectively now the owner and author of the module, and > original owner can not be blamed for anything that happens under PTG > development model? > > PTG (the org) is a vehicle to facilitate collaboration. By putting it there, an author is inviting any of the PTG members to hack on it. It doesn't mean anything about "ownership". In my opinion, the only place of record for ownership is PAUSE. If there is one person to look to, that's the person listed as primary maintainer. Co-maints are also responsible parties, though many are inactive in practice. > Who gets a free ride to the police station when a rootkit that calls home > was shipped to CPAN in a PTG tarball? > > I think the LICENSE of most modules disclaims any warranty, but to your more general point, I would hold the person who uploaded to CPAN ultimately responsible for the quality of what they ship. > > The PTG member with a commit bit who pushed the rootkit to the PTG git > repo responsible? > > That falls under the "breach of trust" point I made earlier. > What are the responsibilities of a PTG member who cuts a CPAN tarball? > Are they a cron job whose only purpose is to bump version numbers and > verify the changelog contains a new version number, or are they required to > review the git history (and perhaps GH issues/PRs) since the last CPAN > release? > > As I said already, don't think of it as "PTG member". The PAUSE author who uploads is responsible for quality. If that person commits a breach of trust or is otherwise grossly negligent, the Berlin governance mechanisms would kick in to encourage that person to step down. Ultimately, that means the Pumpking has the power to fire a maintainer. Thus, I think the uploader ought to be more than a cron-job and should either review the code personally or delegate that to trusted 3rd parties. > Bullet #5 says RJBS is the "tie breaker". I dont personally think that > sentence is the same as owner, but someone can interpret that sentence as > meaning RJBS is the final say on PTG, and therefore the owner of PTG. > > RJBS (and likely any future pumpking) would probably be put in the github "owners" group for convenience but he is not the "owner" of the group. Rik's authority over dual-life modules ultimately derives from Larry's delegation and perlpolicy. He is ultimately responsible for the quality of perl releases under his tenure. > local::lib's perms list has many people not in > https://github.com/orgs/Perl-Toolchain-Gang/people . What is going on > with this module? > > Some people believe in giving out commit bits liberally as a way of encouraging contributors. That's up to the primary maintainer. I agree that your concern about attack vectors is a reasonable reason to prune such long lists. > There is a PAUSE ID called MMML > http://www.nntp.perl.org/group/perl.modules/2000/10/msg3190.html A number > of PTG modules have this in PAUSE, but not all. Who is MMML? What is the > purpose of this account? > > PAUSE has a concept of "mailing lists" which function as group permissions. Andreas would have to elaborate further. > So from this conversation, MST has taken on the role as the administrator > and therefore owner of PTG. Is MST the actual owner of the PTG account > (root password for GH) or just one of 30 members? > > Matt has "owner" permissions and is empowered to moderate discussions. As I said on that ticket, process/governance questions are better discussed here. > Is PTG a secret society? PTG is a shared code repository. What anyone says or commits doesn't imply any endorsement by other members. > I can lookup word consensus in a dictionary, but that definition doesn't > apply to PTG modules. It applies in the sense that "we" (parties interested in Perl toolchain issues) have generally agreed that we want major decisions to have general agreement by interested parties. (Yes, this is sort of a circular definition.) Think of it this way: even though I don't maintain (or want to maintain) parts of the toolchain, I have strong opinions about how those parts should work. And I want whoever is maintaining those other parts to take my opinion (and the opinions of others) into account. > For P5P, there is RJBS as the scapegoat, who is the scapegoat for PTG? > > The owners group are the scapegoats for the technical (and social) issues involved in running a shared code repository. It has nothing to do with the ownership of modules. Personally, I consider the PAUSE primary maintainer to the be the owner of record and thus scapegoat and no one should remain in that role unless they are willing to take that responsibility. My answers to the following questions represent my personal opinion. I'm not speaking as a "PTG owner" or anything. Why did EU::MM development stall (my question)? > > I think EUMM is so complex and poorly understood that few people are comfortable reviewing and signing off on major changes. > Why did mohawk's changes went in unsupervised (not my question)? > > I don't know. I suspect that some code review indicated that it was safe and that problems were discovered later after release. This may indicate a failure of the release testing process. > Who gave him a commit bit (not my question)? > > Probably me, under the general principle that anyone credibly wanting to participate should get a bit until they abuse that trust. > Why "bugs" instead of "notabug" preventing EUMM stable (my question)? > > I don't understand the question. > Why didnt mohawk take over releasing EUMM from bingos (my question)? > > Because he doesn't have enough of a track record to be trusted with control of such a linchpin of CPAN. > watch, some reforms are needed to prevent another EUMM from happening in > the future. > > This mailing list is the right place to discuss ways to improve the governance of EUMM. David -- David Golden <x...@xdg.me> Twitter/IRC/Github: @xdg
