Yearly maintainer permissions review

[github-actions]

This is a checklist for evaluating python-tuf maintainer accounts and permissions. This issue is automatically opened once a year.

Tasks

1. Update this list to include any new services
2. Evaluate the accounts and permissions for each service on the list. Some rules of thumb:
   • Critical services should have a minimum of 3 active maintainers/admins to prevent project lockout
   • Each additional maintainer/admin increases the risk of project compromise: for this reason permissions should be removed if they are no longer used
   • For services that are not frequently used, each maintainer/admin should check that they really are still able to authenticate to the service and confirm this in the comments
3. Update MAINTAINERS.txt to reflect current permissions

Critical services

• PyPI: maintainer list is visible to everyone at https://pypi.org/project/tuf/
  • Only maintainers who do releases (+potentially org admins to prevent locking the project out)
• GitHub: permissions visible to admins at https://github.com/theupdateframework/python-tuf/settings/access
  • "admin" permission: Only for maintainers and org admins who do project administration
  • "push/maintain" permission: Maintainers who actively approve and merge PRs (+admins)
  • "triage" permission: All contributors trusted to manage issues

Other

• ReadTheDocs: admin list is visible to everyone at https://readthedocs.org/projects/theupdateframework/
• Coveralls: everyone with github "admin" permissions is a Coveralls admin: https://coveralls.io/github/theupdateframework/python-tuf

[jku]

Process for this year was already started in #1793 but I suppose we can document the status here

[lukpueh]

MAINTAINERS.txt: Update in #1855 to reflect currently active maintainers
GitHub permissions: aligns with MAINTAINERS.txt (post #1855)
PyPI and RTD: updated to a subset of MAINTAINERS.txt (post #1855)
Coveralls: depends on GitHub permissions

[jku]

GitHub permissions: aligns with MAINTAINERS.txt (post #1855)

Sadly it seems I still need to use the github API to verify this -- the UI that Github provides for this seems to just lie to my face.

Otherwise Github API result seems to agree with MAINTAINERS.txt but it seems to think that marina does not have any permissions in python-tuf -- this seems like a mistake?

This is how I checked

# print current python-tuf permissions (github access token must have repo write permissions)
curl -u $USER:$TOKEN https://api.github.com/repos/theupdateframework/python-tuf/collaborators | jq ".[] | .login, .permissions"

[lukpueh]

Otherwise Github API result seems to agree with MAINTAINERS.txt but it seems to think that marina does not have any permissions in python-tuf -- this seems like a mistake?

@mnm678 has Maintain permissions via @theupdateframework/python-tuf-maintainers

[jku]

@mnm678 has Maintain permissions via @theupdateframework/python-tuf-maintainers

right... I now see th eexact same results. That was a weird glitch but everything looks right now.

[jku]

Related issues are now closed, maintainer lists have been updated and look decent: thanks Lukas. Multiple pypi maintainers have made releases in the last year so no problems with access there.

Closing as resolved 👍