Thank you for raising this discussion, this is an important thing to circle back on and discuss.
Some quick points of agreement: 1) supply chain security is important, 2) access control is important, 3) me granting commit access is legacy and I’d be happy for that to change. That said, as others have raised, we want an open and inclusive community, and need to find a balance here. The current policies are based around the idea that we have code review and a principle of “it’s almost impossible to do irreversible harm to a git repository”.
As to my personal opinion about the proposal, I don’t think it actually achieves the goals. Defining an arbitrary bar for “10” reviews doesn’t achieve anything, whether the patches are trivial or not: If someone serious wants to attach LLVM, they can provide 10 patches. This proposal might make us feel good by reducing risk from a PhD student, but I don’t think that is where actual supply chain risks would present themselves from.
Furthermore, your proposal doesn’t address the most motivating-to-me issues identified by your first post:
The rationale for proposing this change is that commit access on GitHub comes with a lot of other privileges, including but not limited to:
- Uploading releases to the release page.
- Viewing repository secrets.
- Running and modifying GitHub Actions workflows.
- Publishing packages, including container images.
Instead of excluding a thousand committers and making it more onerous to get commit access, have we considered directly attacking these problems? For example, why not move the releases to a different ACL? Furthermore, we do allow (and I think it is important to allow) direct pushes to the repository for “break glass” sorts of events, but we could escalate visibility for cases when this is used of this to reduce the risk by bad actors.
I think bringing things back to “lean on distributed review” and “prevent harm through ‘as little access as necessary for commits’ ACL” is a better direction to pursue here. Your bulleted points above seem like important things to fix for a variety of reasons anyway,
-Chris