Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt and publish a "Maintainer Covenant" for this project #586

Closed
broofa opened this issue Oct 23, 2021 · 3 comments
Closed

Adopt and publish a "Maintainer Covenant" for this project #586

broofa opened this issue Oct 23, 2021 · 3 comments
Assignees
@broofa
Labels
discussion nice-to-have

Comments

@broofa
Copy link
Member

broofa commented Oct 23, 2021
edited
Loading

Are there any opensource projects that publish covenants around their security / maintenance practices? Something we could use as a template...?

I'm thinking of something similar in spirit to the contributor convenant, but that enumerates basic principles of good project management (esp. as relates to security) that the maintainers commit to. I ask because there has been yet another breach in a popular NPM module, and the circumstances seem all too familiar. Having such a document would, I believe, help encourage maintainers to check these boxes as their projects become more popular, and I believe (read, "hope"), that we've reached a place where this project could set a good example.

Off the top of my head, some items this could cover:

  • Security
    • Use of 2FA (required for all maintainers, all relevant accounts. Esp. GitHub & NPM)
    • Use of password managers for managing credentials on personal devices
    • Handling of shared passwords and access tokens (ref. Secrets)
  • Maintainer team
    • Minimum size (to allow for code review, and mitigate Bus Factor issues)
    • Qualifications expected
    • Vetting process
  • Code access
    • All commits to master require review
@ctavan
Copy link
Member

ctavan commented Oct 23, 2021

I’m all for it! I believe that we did a good job so far implicitly, but I agree that it would be worthwhile to formalize this!

broofa added a commit that referenced this issue Oct 26, 2021
@broofa
first pass at maintainer covenant, fix #586
67a5bc5
@broofa broofa closed this as completed in c285a4a Oct 26, 2021
broofa added a commit that referenced this issue Oct 26, 2021
@broofa
Revert "first pass at maintainer covenant, fix #586"
16e9cc9 
This reverts commit c285a4a.
broofa added a commit that referenced this issue Oct 26, 2021
@broofa
first pass at maintainer covenant, fix #586
8f9dfe2
broofa added a commit that referenced this issue Oct 26, 2021
@broofa
chore: first pass at maintainer covenant, fix #586
cf9bcf9
@LinusU
Copy link
Member

LinusU commented Oct 26, 2021

(reopening since this was accidentally closed because of a push to master)

@LinusU LinusU reopened this Oct 26, 2021
@LinusU LinusU linked a pull request Oct 26, 2021 that will close this issue
chore: first pass at maintainer covenant, fix #586 #588
Closed
@broofa broofa mentioned this issue Oct 26, 2021
Closed
@broofa broofa self-assigned this Oct 26, 2021
@broofa
Copy link
Member Author

broofa commented Aug 11, 2022

Closing. See #588 (tl;dr: I don't have the time / there's better solutions)

@broofa broofa closed this as completed Aug 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@broofa broofa

Labels
discussion nice-to-have
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: first pass at maintainer covenant, fix #586 uuidjs/uuid
3 participants
@broofa @LinusU @ctavan