On 18/06/26 6:01 pm, Otto Kekäläinen wrote:
> For me personally, a major reason to trust Debian as my OS stems from
> Debian having in general pretty good security practices, both in preventing
> issues and in having such archives and transparency that investigating
> security failures after they have happened is mostly easy[1].
> 
> However, one thing that has worried me for a long time is how access
> control is done on Salsa.
> 
> I would like to improve the situation starting from the Go team, and thus I
> want to propose a policy for how team memberships are granted and revoked,
> what levels of access exist inside the team, what avenues exist to
> contribute without formal access, and how we encourage code reviews as a
> way to both onboard new members and keep existing members involved.
> 
> Before I post a draft, I wanted to check if others here think alike and if
> having a policy for team membership would be useful?

I generally grant people access if they are a DD or DM already. If not, and I
see a mail on the ML, I tend to approve - though having no past contribution
might be concerning.

There are however a bulk of requests that I have no idea what to do about. Bunch
of them have been left without any action for a long while by all owners.

I would find a policy that decides when access could be granted to be useful. 
I'd
also find it useful for the policy to also mention clearly what role should be 
granted,
and when is bumping that role (to maintainer or owner) considered appropriate. 

> Or do people dismiss such things as excess "bureaucracy" and think the
> current state of things is just fine, and worrying about potential misuse
> is unfounded?

Bureaucracy depends on what the proposal and eventually policy says.

I remember a team which had a rule - you need to have 2 votes from existing 
members to get
access no matter what. The said team had only 20 or so members, and I knew only 
a couple of
people and could only get one 'second'. Suddenly, after 2 years (!) of this, I 
got added
one day OOTB with no further seconds. I was already a DD when I asked to get 
added.
This IMHO is inane bureaucracy, and made my job unnecessarily difficult for no 
good reason.
Recently, another DD asked for access, got the seconds but noone added them and 
this is lying
in a limbo state for several months.

If you do make a proposal, just this as a pointer, please do avoid making 
arbitrary rules like these.

Thanks for talking about this,
Nilesh

Reply via email to