I'd like to request opinions on whether we should get rid of the "Trusted Authors" check in the Sage patchbot.
At present, the patchbot won't test a ticket unless all of the names in the Trac "Authors" field have had at least one ticket previously merged. Presumably the intention of this is to prevent people uploading git branches with malicious code that will hijack the patchbot servers. But the "Authors" field is a free text field; there's nothing to stop anybody with a trac account uploading a git branch with author set to "William Stein", or "Mickey Mouse" for that matter. So this feature provides zero actual security against attacks, and only serves to make life more difficult for legitimate users -- and, worse still, it specifically targets new contributors who we want at all costs to encourage. So I would advocate getting rid of the "Trust" feature -- or at least adjusting it so it runs the ticket if any of the authors are trusted (rather than all of them). What do others here think of this idea? (I spotted this while reviewing ticket 19169, where the authors are a group of first-time Sage contributors from Sage Days 69 in 2015. The ticket has been languishing in needs-review purgatory for most of the intervening 2 years, and the fact that it didn't have a green light from the patchbot probably contributed to that.) David -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
