feat: reduce gthub app/secret requirements #554
Conversation
Seven days wait + 2 approvals from both committees is quite bureaucratic, and so is 72 hours fast-tracking for an already approved app/secret, Reducing the number of required approvals to one per committee as well as the wait time to 72 hours as well as reducing the fast-track time to 24 hours should allow collaborators to move forward with their work faster, and since it still require approval from committees it shouldn't have a negative impact on security concerns.
|
I'm comfortable with the change for the one related to already approved apps/secrets, less so for the first time apps/secrets, although mostly for the apps versus secrets. I'd suggest just making the change for the ones related to already approved apps/secrets. |
|
Cc @nodejs/tsc @nodejs/community-committee since it affects the required approvals from both committees. |
|
Nit: |
|
@mmarchini not-yet-approved apps/secrets are more of a concern to me because that's where we should be doing most of the due diligence. It's a |
|
I understand that, but do you disagree that having two people doing the due diligence (one from each committee) is enough? We have a total of four people today. I'd rather have two doing proper due diligence than four "empty" +1s. |
|
@mhdawson just double-checking: are you blocking this from landing? |
|
@mmarchini I'd say yes unless we get more TSC/CommComm members approving. I'd be ok if for the first time request we change either the number of approvers or the time, but not both. I'll also withdraw my objection if more TSC/CommComm members approve. I'm just not comfortable with this change landing with just 1 approval. |
so in the context of |
|
Ok, I'll split this PR into two: one to change the number of approvals on normal requests, and another to change the time on fast-track requests. I might follow up later with a PR suggesting changes to the wait time on normal requests so we can continue discussion. |
There was a problem hiding this comment.
I see the comment about splitting this up, but I just want to add my approval here for the PR as it currently stands - if we are requiring at least two people from the TSC/CommComm to approve, there is an assumed level of competence in those approvals. I can't see a reason we'd need to wait up to 4 additional days for something we can choose to reverse if a concern is raised later.
|
bringing this up again: I think we should merge. |
|
+1 for landing |
GITHUB_ORG_MANAGEMENT_POLICY.md
Outdated
| @@ -133,7 +133,7 @@ a) a link showing how the GitHub App or the secret being requested is already | |||
| in use, and b) ask for approvals to fast-track the request. Two members of | |||
| either TSC or CommComm must approve the fast track request. Fast-tracked | |||
| requests only need one approval from either TSC or CommComm is required, and | |||
| the request must remain open for 72 hours. | |||
| the request must remain open for 24 hours. | |||
There was a problem hiding this comment.
Tiniest of nits:
| the request must remain open for 24 hours. | |
| the request must remain open for 24 hours. | |
|
I assume this can be merged now given nobody's objected? |
Seven days wait + 2 approvals from both committees is quite bureaucratic, and
so is 72 hours fast-tracking for an already approved app/secret, Reducing the
number of required approvals to one per committee as well as the wait time to
72 hours as well as reducing the fast-track time to 24 hours should allow
collaborators to move forward with their work faster, and since it still
require approval from committees it shouldn't have a negative impact on
security concerns.