Contrib.social

Add log of mainatiner level changes to project pages and provide notice when the Project Ownership queue adds/promotes a user

Open on Drupal.org →
Created on 5 June 2024, 11 months ago

Problem/Motivation

Part of 🌱 [META] Increase Security of Project Ownership Transfer Process Active .

Currently there is no way to determine when maintainer levels have been changed for user on a project to understand how a project management structure may change over time. This is especially important for when the Project Ownership queue promotes an existing maintainer or adds a new maintainer.

In order to help site owners review a module and vet the security it would be helpful if D.O. prominently displayed notice on the project page when the Project Ownership queue promotes a user to higher permissions (so that site owners can evaluate if they trust the user) for a period of time (months?) after a change occurs. Addtionaly at the same time providing historical logs of permission changes so that at any time a site owner may evaluate the management history of a module prior to installing it.

The posting in the Project Ownership queue is considered insufficient notice as it is not directly connected to the project and does not capture all changes.

Steps to reproduce

N/A

Proposed resolution

Add maintainer level changelog (similar to project info change history)
Add warning to project pages where the Project Ownership queue has promoted a user without the the approval of an owner/maintainer.

Remaining tasks

User interface changes

TBD

API changes

TBD

Data model changes

TBD

Feature request
Status

Active

Version

3.0

Component

Code

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @cmlara
  • Comment 11 months ago
    🇺🇸United States cmlara

    Relevant quotes from https://drupal.slack.com/archives/C2AAKNL13/p1715712783335239:

    Is there a message on the project page that displays when a maintainer has switched? If not, perhaps a "the maintainers of this module has changed recently" message could be helpful.

    -- Joe GL

    Or more sophisticated approach - maintainers history - where all maintainers changes will be logged and displayed (with dates, etc). And you can easily check, when someone was added, removed, changed permissions and so on.

    -- Juraj Nemec

  • Comment 11 months ago
    🇦🇺Australia dpi Perth, Australia

    FWIW each project has

    https://git.drupalcode.org/project/diff/activity

    And all projects master feed:

    https://git.drupalcode.org/groups/project/-/activity

    Click Teams tab at the top of each

    Data is also available on the API

  • Comment 11 months ago
    🇺🇸United States cmlara

    I will agree that the GitLab activity feed provides some data.

    I will note a couple activities that are the GitLab API may not provide data for:
    Change of a maintainer to owner will not report a permission change as they hold the same level in GitLab.
    Adding a new user to owner will report the same as adding a maintainer.
    There is no easy way to determine if it was Project Ownership that added the user except to assume if its one of the 'known' queue admins that performed the action (and that they joined/left the project in rapid succession) that it may have been project ownership queue.

    Not to complexly discount it, the activity stream is useful, there are just a few edge cases it may not be able to capture.

  • Comment 11 months ago
    🇳🇴Norway gisle Norway

    IMHO, the peer review of the code committed to a project is much more important to discover supply chain attacks than the proposed highlighting the log of maintainer level changes.

    Of course, implementing this highlighting wouldn't do any harm, but resources is always in short supply, and any benefit this proposed measure might bring will probably not be worth the expense of implementing it.

    But if anyone wants to donate resources to implement what is sought here, please go ahead!

  • Comment 11 months ago
    🇺🇸United States dww

    It has been an ongoing regret that when I very first implemented the project level permissions and maintainers tab on d.o, that I didn’t build this into it from the beginning. 😢 Completely aside from the supply chain aspects and whether end users would care to see it, simply for the benefit of d.o site admins to figure out WTF is going on in various conflicts and disagreements that have come up, it would have been incredibly handy.

    Also note that while issues are planned to migrate to GitLab, AFAIK, the long term plan is to keep both project nodes and releases on d.o. So the fact GitLab has a feed for some useful things doesn’t solve that the historical view of changes to the “maintainership” is lacking and would be useful, even outside the scope of the parent meta.

    There’s probably an issue somewhere in the GitLab migration family of issues about how to keep project-level permissions in sync between the two worlds, but I don’t have a handy link. And yeah, the two have different models and not all perms cleanly map back and forth. It’s an unfortunate situation. If only 17 years ago me knew what I know now. 😂

  • Comment 10 months ago
    🇺🇸United States drumm NY, US
  • Comment about 2 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    I am not sure that showing a notice when project moderators add a new maintainer/co-maintainer or promotes a co-maintainer to maintainer covers the most important cases for which somebody should get a notice.

    Now that maintainers/co-maintainers can remove themselves from the project from the GitLab side, even project owners can remove themselves from the project. That is an equally important change for which a notice should be shown.
    What about the cases where, out of two maintainers (including the project owner, which is just a maintainer for which the permissions cannot be adjusted), a maintainer becomes inactive?
    What about the cases where the project owner is no longer active, and a new maintainer is added by the existing maintainer?

    Showing a notice only when project moderators add or promote somebody seems to call out what project moderators do, as if they could have done anything wrong. Truly, the chances that a maintainer/co-maintainer added by project moderators does something wrong are the same chances that a maintainer/co-maintainer added by maintainers could do something wrong.

  • Comment about 2 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹
  • Comment about 2 months ago
    🇮🇹Italy apaderno Brescia, 🇮🇹

    Probably this issue should be split in two: an issue for logging when there is a change in the permissions people have on a project, and an issue for when showing a notice in the project page.
    That is if the notice is shown only for actions project moderators do, which is not a concept the Project module have.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024