Contrib.social

Automate the majority of the ownership transfer process (retain human approval)

Open on Drupal.org →
Created on 3 June 2024, 12 months ago

Part of 🌱 [META] Increase Security of Project Ownership Transfer Process Active . This may belong on D.O. Customization however opening here first as its subject related.

Currently many stages in the project ownership process depend upon human trust (applicant asserts they took an action but no proof they did) and is subject to human error (failure to validate an applicant meets the requirements, failure to send notifications, etc)

As such we should automate the majority of the process to remove humans from the steps that can be automated and use them solely for human review.

Applicants should visit a page on D.O. where they are prompted for the module they wish to adopt and at what level (Owner/maintainer/co-maintainer).

The page should:
Validate the user meets the required gates.
Create an issue in the Issue Queue
Email the relevant project owners/mainatiners a link to allow them to accept/deny the request along with the issue thread so they may review and publicly comment.

If the required level of maintainer does not respond D.O. should:
Re-run the user gates to be sure the user is still eligible.
Move the existing issue to the Project Ownership queue with a note that the project maintainers have not responded.
Await for a project ownership queue maintainer to review the issue and approve/deny.

Upon approval by a Project Ownership queue admin (or the module maintainers) D.O. should (again) re-run user gaits and programmatically add the access rights for the applicant (to avoid human error and to reduce the number of accounts that have rights to change user permissions).

📌 Task
Status

Active

Version

3.0

Component

Other

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • Comment 12 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹
  • Comment 4 months ago
    🇨🇦Canada joseph.olstad

    I like this idea!

    How big of a quarum do we need to get approval for this initiative?

  • Status changed to Postponed about 2 months ago
  • Comment about 2 months ago
    🇺🇸United States drumm NY, US

    I do not think this makes sense to work on before Move issues from www.drupal.org to git.drupalcode.org Postponed so we do not need to do this work twice.

  • Comment 15 days ago
    🇺🇸United States cmlara

    Linking two issues where a Project Ownership Queue Admin transferred projects that were opted in to Security Coverage to a user who did not appear to have the opt in permission required per policy.

    The proposed automated gates in this issue would reduce the risk of such incidents.

  • Comment 15 days ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    the opt in permission required per policy

    Apply for permission to opt into security advisory coverage is not a policy. Please stop making false claims.

  • Comment 14 days ago
    🇺🇸United States cmlara

    Please stop making false claims.

    I am referring to the following statements where users have been refused project transfer for not having the security opt in permission.

    The project is covered by the security advisory policy; project moderators will not add as maintainer/co-maintainer, or project owner, somebody who cannot opt projects into security advisory coverage, as in this case.
    I sometimes contact the maintainers, hoping they will reply back accepting the offer. They are the only ones who can decide to add as maintainers/co-maintainers people who cannot opt projects into security advisory coverage, though.

    — avpaderno
    https://www.drupal.org/project/marvelous/issues/3492162#comment-16028940 💬 Offering to maintain Marvelous Theme Active

    Project moderators will not add as co-maintainers/maintainers people who cannot opt projects into security advisory coverage

    — avpaderno
    https://www.drupal.org/project/simple_cron/issues/3453929#comment-15651081

    @cmlara You are right. I thought I already checked that before, but I obviously got confused.

    @Chandreshgiri Gauswami I have to remove you from the maintainers list, for the moment.

    — avpaderno
    https://www.drupal.org/project/adminer/issues/3441835#comment-15594906 💬 Offering to maintain Adminer Active

  • Comment 14 days ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    In English, will does not mean certainty.
    That part means people who cannot opt projects into security advisory policy cannot expect to be added as maintainer, co-maintainer, or project owners. It does not mean a project moderator will not add them as maintainers, co-maintainers, or project owners.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024