Hi,
I would like to propose we add some new criteria for obtaining and retaining commit access:
This proposal has been updated: v2 v3 v4.
* A user must have 10 commits merged to main before they are granted commit access.
* A user must have at least 10 commits in the past 12 months to retain commit access (This would be enforced monthly).
I prefer having 10 be the threshold, but would not necessarily be opposed to another number.
The rationale for proposing this change is that commit access on GitHub comes with a lot of other privileges, including but not limited to:
- Uploading releases to the release page.
- Viewing repository secrets.
- Running and modifying GitHub Actions workflows.
- Publishing packages, including container images.
It’s important that we can trust people with these kinds of privileges to ensure that our project’s software supply chain is secure. I think limiting commit access to only active contributors will significantly cut down on the risk of a bad actor obtaining commit access and compromising the project in some way.
Currently, there are 1789 users with commit access to the llvm-project repo. If we were to implement this policy we would revoke commit access from 1234 people leaving us with 555 committers.
Along with this proposal, I would like to also change the way users request commit access so we can automate checking their total number of commits. Instead of having users email @clattner directly, they would file a GitHub issue with the commit-access
label and we would have an GitHub Action job to verify that they were eligible. Chris would then review the ticket and give them commit access if they qualified. I think this process would be preferable to having Chris manually look up the number of commits for each request.
It’s important to balance project security with being welcoming to newcomers, but I think that commit access for new or less frequent contributors is much less necessary now that we are using GitHub pull requests. It’s very easy (just one click on the web UI) to push a commit on someone else’s behalf, which was not the case when we were using Phabricator. So, I don’t think this change will impose any significant burden on new or infrequent contributors.
(edit: Had to slightly decrease the number of committers who qualify under these rules from 574 to 555 due to a typo in my query: git shortlog -sn --branches=origin/main --after="15 Jan 2023"
)