Hi, For me personally, a major reason to trust Debian as my OS stems from Debian having in general pretty good security practices, both in preventing issues and in having such archives and transparency that investigating security failures after they have happened is mostly easy[1].
However, one thing that has worried me for a long time is how access control is done on Salsa. I would like to improve the situation starting from the Go team, and thus I want to propose a policy for how team memberships are granted and revoked, what levels of access exist inside the team, what avenues exist to contribute without formal access, and how we encourage code reviews as a way to both onboard new members and keep existing members involved. Before I post a draft, I wanted to check if others here think alike and if having a policy for team membership would be useful? Or do people dismiss such things as excess "bureaucracy" and think the current state of things is just fine, and worrying about potential misuse is unfounded? - Otto [1] https://optimizedbyotto.com/post/xz-backdoor-debian-git-detection/
