Yes, the plan is still to alter the default behavior. As stated in the original email:
"Projects that have a strong desire to use the “only need approval first time” option should communicate that, explaining their reasons, in a Jira ticket for Infra. Please be as specific as you can in which repositories you wish to have this option set for, should you choose to." We already have a number of tickets which have been submitted for exceptions which will be granted/implemented when we change the default to be more secure. Infra is working on a policy and procedure for projects to self-police the security risks that come along with the exemption. For the safety of our codebase, there must be oversight and accountability for actions initiated by people who are unaffiliated with the Foundation, so there needs to be a process for a project to request an exemption, rather than a simple opt-out repository .asf.yaml setting. This change is not being enforced on everyone abruptly. We have been discussing it here for a month, invited input and counterpoint, and provided a process to request an exemption. We agree with those projects who have identified this change as a hindrance and thank them for providing compelling reasoning for those exemptions, which as previously noted, will be granted when the change goes live. -Chris -- @fluxo Chris Lambertus ASF Infrastructure > On Mar 14, 2023, at 8:20 PM, Sumit Kumar via users <us...@infra.apache.org> > wrote: > > Folks, > > Is the 03/19/2023 deadline still in force? What's the final verdict from > infra? Can projects control this behavior by creating some configuration file > in their repository so this mass impact can be controlled by respective PMCs > rather then being enforced on everyone abruptly? > > > > ---- On Mon, 13 Feb 2023 13:27:16 -0800 Kenneth Knowles <k...@apache.org> > wrote --- > > I've raised https://issues.apache.org/jira/browse/INFRA-24201 for Beam and > see also Airflow's ticket https://issues.apache.org/jira/browse/INFRA-24200. > > On Mon, Feb 13, 2023 at 11:49 AM Daniel Gruno <humbed...@apache.org > <mailto:humbed...@apache.org>> wrote: > > To Project PMCs: > > GitHub for Apache projects is currently set to allow a non-committer > contributor to use GitHub Actions if a previous pull request by that > person has been approved. > > This has raised some security concerns, and could cause issues with > overall use and availability of GitHub Actions. > > The Infrastructure Team proposes to change the default to “always > require approval for external contributors”. We intend to make this > change on Sunday the 19th of March, 2023. > > This change will apply to all GitHub repositories that do not already > have a specific GitHub Actions policy set. > > Projects that have a strong desire to use the “only need approval first > time” option should communicate that, explaining their reasons, in a > Jira ticket for Infra. Please be as specific as you can in which > repositories you wish to have this option set for, should you choose to. > > With regards, > Daniel, on behalf of the ASF Infrastructure Team. > >
