- Issue created by @peelas02
- 🇧🇪Belgium BramDriesen Belgium 🇧🇪
@legolasbo You might want to re-consider granting a random and new user maintainer access. This module has 10K installs, @peelas02 has no single post or contribution made for this module besides the D11 bot issue. This raises some security questions as well that this is being granted so easily.
- 🇧🇪Belgium BramDriesen Belgium 🇧🇪
Let's leave this one at NR for @legolasbo to decide as the request was granted.
- 🇺🇸United States erutan
FWIW I've been noticing a lot of offers to co-maintain large projects by new accounts with little contribution or history recently. The usual response is to participate in the projects issue queue, review some patches, fix some active issues, etc.
I've never seen anyone of the accounts in this pattern follow through. I assume it's for clout in terms of getting contracts, though it could become a security issue as well.
- 🇳🇱Netherlands legolasbo Middelburg
You're absolutely right @bramdriesen and @erutan. I've should have done a better job at vetting before granting the access. I've removed the maintainer access.
- 🇧🇪Belgium BramDriesen Belgium 🇧🇪
Re #6 We as the security team also observed this. There is a new meta open for this, feel free to chime in. 📌 [META|POLICY] Think of a way to make it less easy to become a (co-) maintainer Active
As for the users in this instance who bulk posted the co-maintainer request, there is a tracking issue open 💬 TATA Consultancy Services is bulk posting requests to gain maintainer access to modules Active
Thanks for revoking the rights @legolasbo
Automatically closed - issue fixed for 2 weeks with no activity.
