On Mon, 27 Jan 2025 at 03:09, Yura Sokolov <y.sokolov@postgrespro.ru> wrote:
>
> 23.01.2025 15:57, Jelte Fennema-Nio пишет:
> > (Resent because sending to both -hackers and -www gets emails put in
> > the moderation queue, and I don't want to introduce that delay to all
> > replies. If you received the previous version because you're in the CC
> > please only reply to this one)
> >
> > # Background
> >
> > As some of you might have noticed I've been trying to breathe some
> > more life into development on the commitfest app[1], both by
> > contributing myself but also by encouraging contributions of others.
> > Basically I'd like to become one of the maintainers of the commitfest
> > app project. The process to get there has been much more of a struggle
> > than I'd hoped...
> >
> > ...
> >
> > I requested Magnus to give me commit access to the pgcommitfest repo
> > so that I could deploy improvements without having to wait for his
> > reviews.
>
> Given history of libxz backdoor, I'd fear to give "commit access" for
> anything critical to rather fresh member of community.
+1 in github you can enforce a minimum number of reviewers. IMO there
should be a minimum of two reviewers and one of the reviewers should
be from the security group/role. Though primary risk would be
introducing new vulnerable dependency but there is no bound to other
kinds of exploitation. Also github vulnerability scan should be
enabled by default.
>
> I'm not in core-team though.
>
>
--
Umar Hayat
Bitnine (https://bitnine.net/)
